felixalb/pvv-nixos-config
1
0
Fork 0
mirror of https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git synced 2026-01-12 18:38:23 +01:00
Code Issues Projects Releases Wiki Activity

Compare commits

base: felixalb:892e3e4d6f1aa95561d8f7416101b0b6d8720eed
Branches Tags
felixalb:main felixalb:sops_add_vegardbm felixalb:syntax_error felixalb:alps felixalb:fix-bluemap-markers felixalb:nix-topology felixalb:gitea-robots-txt felixalb:bindmount-postgres-mysql-dirs felixalb:nettsiden-postgresql felixalb:gitea-vaskepersonalet felixalb:errorpages felixalb:create-flake-input-exporter felixalb:gitea-runners-secrets felixalb:nom felixalb:add-skrott felixalb:pvvvvv felixalb:gitea-show-license-in-list-view felixalb:dagali-heimdal-openldap-sasl-stack felixalb:gitea-navbar-get-started felixalb:backup-databases felixalb:openwebui felixalb:setup-openvpn-tunnel felixalb:gitea-gpg-signing felixalb:sleipner-authorised-keys felixalb:openstack-image-builder felixalb:elysium felixalb:smartd-notifs felixalb:systemd-journald-remote felixalb:skrot felixalb:deploy-doorbell felixalb:misc-gitea-fixes felixalb:spotifyd felixalb:remote felixalb:setup-bikkje-login felixalb:ozai-prod felixalb:add-bluemap felixalb:ozai felixalb:setup-postfix-for-service-machines felixalb:fix-gitea-ci-runner-network-issues felixalb:heimdal-openldap-sasl-testing-on-salsa-on-buskerud felixalb:gitea-metrics felixalb:misc1 felixalb:add-simple-saml-theme felixalb:misc-extra-gitea-setup felixalb:setup-kerberos felixalb:setup-home-areas felixalb:shark-kanidm felixalb:prometheusexim
..
compare: felixalb:backup-databases
Branches Tags
felixalb:main felixalb:sops_add_vegardbm felixalb:syntax_error felixalb:alps felixalb:fix-bluemap-markers felixalb:nix-topology felixalb:gitea-robots-txt felixalb:bindmount-postgres-mysql-dirs felixalb:nettsiden-postgresql felixalb:gitea-vaskepersonalet felixalb:errorpages felixalb:create-flake-input-exporter felixalb:gitea-runners-secrets felixalb:nom felixalb:add-skrott felixalb:pvvvvv felixalb:gitea-show-license-in-list-view felixalb:dagali-heimdal-openldap-sasl-stack felixalb:gitea-navbar-get-started felixalb:backup-databases felixalb:openwebui felixalb:setup-openvpn-tunnel felixalb:gitea-gpg-signing felixalb:sleipner-authorised-keys felixalb:openstack-image-builder felixalb:elysium felixalb:smartd-notifs felixalb:systemd-journald-remote felixalb:skrot felixalb:deploy-doorbell felixalb:misc-gitea-fixes felixalb:spotifyd felixalb:remote felixalb:setup-bikkje-login felixalb:ozai-prod felixalb:add-bluemap felixalb:ozai felixalb:setup-postfix-for-service-machines felixalb:fix-gitea-ci-runner-network-issues felixalb:heimdal-openldap-sasl-testing-on-salsa-on-buskerud felixalb:gitea-metrics felixalb:misc1 felixalb:add-simple-saml-theme felixalb:misc-extra-gitea-setup felixalb:setup-kerberos felixalb:setup-home-areas felixalb:shark-kanidm felixalb:prometheusexim

3 Commits
892e3e4d6f ... backup-dat

Author SHA1 Message Date
Øystein Tveit
4521d404ae WIP 2024-12-22 23:50:35 +01:00
h7x4
f498b82b07 WIP: backup mysql 2024-09-01 03:53:49 +02:00
h7x4
9034a71927 WIP: backup postgresql 2024-09-01 03:53:45 +02:00
73 changed files with 587 additions and 3444 deletions
Expand all files Collapse all files

7
.sops.yaml
View File

@@ -13,7 +13,6 @@ keys:
- &host_ildkule age1x28hmzvuv6f2n66c0jtqcca3h9rput8d7j5uek6jcpx8n9egd52sqpejq0
- &host_bekkalokk age12nj59tguy9wg882updc2vjdusx5srnxmjyfaqve4zx6jnnsaw3qsyjq6zd
- &host_bicep age1sl43gc9cw939z5tgha2lpwf0xxxgcnlw7w4xem4sqgmt2pt264vq0dmwx2
- &host_kvernberg age19rlntxt0m27waa0n288g9wgpksa6ndlzz8eneeqya7w3zd7may0sqzhcvz
creation_rules:
# Global secrets
@@ -79,9 +78,3 @@ creation_rules:
- *user_pederbs_bjarte
pgp:
- *user_oysteikt
- path_regex: secrets/kvernberg/[^/]+$
key_groups:
- age:
- *host_kvernberg
- *user_danio

6
README.MD
View File

@@ -26,14 +26,10 @@ Det er sikkert lurt å lage en PR først om du ikke er vandt til nix enda.
Innen 24h skal alle systemene hente ned den nye konfigurasjonen og deploye den.
Du kan tvinge en maskin til å oppdatere seg før dette ved å kjøre:
`nixos-rebuild switch --update-input nixpkgs --update-input nixpkgs-unstable --no-write-lock-file --refresh --upgrade --flake git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git`
`nixos-rebuild switch --update-input nixpkgs --update-input nixpkgs-unstable --no-write-lock-file --refresh --flake git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git --upgrade`
som root på maskinen.
Hvis du ikke har lyst til å oppdatere alle pakkene (og kanskje måtte vente en stund!) kan du kjøre
`nixos-rebuild switch --override-input nixpkgs nixpkgs --override-input nixpkgs-unstable nixpkgs-unstable --flake git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git`
## Seksjonen for hemmeligheter
For at hemmeligheter ikke skal deles med hele verden i git - eller å være world

6
base/default.nix
View File

@@ -1,9 +1,9 @@
{ pkgs, lib, fp, ... }:
{ pkgs, lib, ... }:
{
imports = [
(fp /users)
(fp /modules/snakeoil-certs.nix)
../users
../modules/snakeoil-certs.nix
./networking.nix
./nix.nix

7
base/networking.nix
View File

@@ -1,10 +1,13 @@
{ lib, values, ... }:
{
systemd.network.enable = true;
networking.domain = "pvv.ntnu.no";
networking.useDHCP = false;
# networking.search = [ "pvv.ntnu.no" "pvv.org" ];
# networking.nameservers = lib.mkDefault [ "129.241.0.200" "129.241.0.201" ];
# networking.tempAddresses = lib.mkDefault "disabled";
# networking.defaultGateway = values.hosts.gateway;
# The rest of the networking configuration is usually sourced from /values.nix
systemd.network.enable = true;
services.resolved = {
enable = lib.mkDefault true;

6
base/nix.nix
View File

@@ -23,12 +23,8 @@
*/
registry = {
"nixpkgs".flake = inputs.nixpkgs;
"nixpkgs-unstable".flake = inputs.nixpkgs-unstable;
"pvv-nix".flake = inputs.self;
};
nixPath = [
"nixpkgs=${inputs.nixpkgs}"
"unstable=${inputs.nixpkgs-unstable}"
];
nixPath = [ "nixpkgs=${inputs.nixpkgs}" ];
};
}

22
base/services/auto-upgrade.nix
View File

@@ -1,26 +1,12 @@
{ inputs, pkgs, lib, ... }:
{ ... }:
{
system.autoUpgrade = {
enable = true;
flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git?ref=pvvvvv";
flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git";
flags = [
# --update-input is deprecated since nix 2.22, and removed in lix 2.90
# https://git.lix.systems/lix-project/lix/issues/400
"--refresh"
"--override-input" "nixpkgs" "github:NixOS/nixpkgs/refs/pull/332699/merge"
"--override-input" "nixpkgs-unstable" "github:nixos/nixpkgs/nixos-unstable-small"
"--update-input" "nixpkgs"
"--update-input" "nixpkgs-unstable"
"--no-write-lock-file"
];
};
# workaround for https://github.com/NixOS/nix/issues/6895
# via https://git.lix.systems/lix-project/lix/issues/400
environment.etc."current-system-flake-inputs.json".source
= pkgs.writers.writeJSON "flake-inputs.json" (
lib.flip lib.mapAttrs inputs (name: input:
# inputs.*.sourceInfo sans outPath, since writeJSON will otherwise serialize sourceInfo like a derivation
lib.removeAttrs (input.sourceInfo or {}) [ "outPath" ]
// { store-path = input.outPath; } # comment this line if you don't want to retain a store reference to the flake inputs
)
);
}

1
base/services/logrotate.nix
View File

@@ -31,6 +31,7 @@
ProtectSystem = "full";
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true; # disable for creating setgid directories
SocketBindDeny = [ "any" ];
SystemCallArchitectures = "native";
SystemCallFilter = [

7
base/services/openssh.nix
View File

@@ -10,12 +10,5 @@
Match All
'';
settings.PermitRootLogin = "yes";
};
users.users."root".openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCqVt4LCe0YIttr9swFxjkjn37ZDY9JxwVC+2gvfSINDJorOCtqPjDOTD2fTS1Gz08QCwpnLWq2kyvRchu6WgriAbSACpbZZBgxRaF/FVh3oiMVFGnNKGnv6/fdo/vZtu8mUVuqtmTrgLYpZdbR4oD3XiBlDKs7Cv5hPqt95lnP6MNFvE8mICCfd1PwhsABd2IQ5laz3u77/RXhNFJL0Kf2/+6gk9awcLuwHrPdvq7c3BxRHbc9UMRQENyjyQPa7aLe+uJBFLKP51I8VBuDpDacuibQx7nMt6N2UJ2KWI0JxRMHuJNq4S5jidR82aOw9gzGbTv30SKNLMqsZ0xj4LtdqCXDiZF6Lr09PsJYsvnBUFWa14HGcThKDtgwQwBryNViYmfv//0h9+RLZiU0ab+NEwSs7Zh5iAD+vhx64QqNX3tR7Le4SWXh8W0eShU9N78qYdSkiC3Ui7htxeqOocXM/P4AwbnHsLELIvkHdvgchCPvl8ygZa4WJTEWv16+ICskJcAKWGuqjvXAFuwjJJmPp9xLW9O0DFfQhMELiGamQR9wK07yYQVr34iah6qZO7cwhSKyEPFrVPIaNtfDhsjED639F7vmktf26SWNJHWfW0wOHILjI6TgqUvy0JDd8W8w0CHlAfz6Fs2l99NNgNF8dB3vBASbxS0hu/y0PVu/xQ== openstack-sleipner"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICCbgJ0Uwh9VSVhfId7l9i5/jk4CvAK5rbkiab8R+moF root@sleipner"
];
}

195
flake.lock generated
View File

@@ -7,11 +7,11 @@
]
},
"locked": {
"lastModified": 1731746438,
"narHash": "sha256-f3SSp1axoOk0NAI7oFdRzbxG2XPBSIXC+/DaAXnvS1A=",
"lastModified": 1715445235,
"narHash": "sha256-SUu+oIWn+xqQIOlwfwNfS9Sek4i1HKsrLJchsDReXwA=",
"owner": "nix-community",
"repo": "disko",
"rev": "cb64993826fa7a477490be6ccb38ba1fa1e18fa8",
"rev": "159d87ea5b95bbdea46f0288a33c5e1570272725",
"type": "github"
},
"original": {
@@ -20,25 +20,64 @@
"type": "github"
}
},
"greg-ng": {
"fix-python": {
"inputs": {
"flake-utils": "flake-utils",
"nixpkgs": [
"grzegorz",
"nixpkgs"
],
"rust-overlay": "rust-overlay"
]
},
"locked": {
"lastModified": 1730249639,
"narHash": "sha256-G3URSlqCcb+GIvGyki+HHrDM5ZanX/dP9BtppD/SdfI=",
"ref": "refs/heads/main",
"rev": "80e0447bcb79adad4f459ada5610f3eae987b4e3",
"revCount": 34,
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/greg-ng.git"
"lastModified": 1713887124,
"narHash": "sha256-hGTSm0p9xXUYDgsAAr/ORZICo6T6u33vLfX3tILikaQ=",
"owner": "GuillaumeDesforges",
"repo": "fix-python",
"rev": "f7f4b33e22414071fc1f9cbf68072c413c3a7fdf",
"type": "github"
},
"original": {
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/greg-ng.git"
"owner": "GuillaumeDesforges",
"repo": "fix-python",
"type": "github"
}
},
"flake-utils": {
"inputs": {
"systems": "systems"
},
"locked": {
"lastModified": 1689068808,
"narHash": "sha256-6ixXo3wt24N/melDWjq70UuHQLxGV8jZvooRanIHXw0=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "919d646de7be200f3bf08cb76ae1f09402b6f9b4",
"type": "github"
},
"original": {
"id": "flake-utils",
"type": "indirect"
}
},
"grzegorz": {
"inputs": {
"fix-python": "fix-python",
"nixpkgs": [
"nixpkgs-unstable"
]
},
"locked": {
"lastModified": 1715364232,
"narHash": "sha256-ZJC3SkanEgbV7p+LFhP+85CviRWOXJNHzZwR/Stb7hE=",
"owner": "Programvareverkstedet",
"repo": "grzegorz",
"rev": "3841cda1cdcac470440b06838d56a2eb2256378c",
"type": "github"
},
"original": {
"owner": "Programvareverkstedet",
"repo": "grzegorz",
"type": "github"
}
},
"grzegorz-clients": {
@@ -48,17 +87,17 @@
]
},
"locked": {
"lastModified": 1726861934,
"narHash": "sha256-lOzPDwktd+pwszUTbpUdQg6iCzInS11fHLfkjmnvJrM=",
"ref": "refs/heads/master",
"rev": "546d921ec46735dbf876e36f4af8df1064d09432",
"revCount": 78,
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/grzegorz-clients.git"
"lastModified": 1715384651,
"narHash": "sha256-7RhckgUTjqeCjWkhiCc1iB+5CBx9fl80d/3O4Jh+5kM=",
"owner": "Programvareverkstedet",
"repo": "grzegorz-clients",
"rev": "738a4f3dd887f7c3612e4e772b83cbfa3cde5693",
"type": "github"
},
"original": {
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/grzegorz-clients.git"
"owner": "Programvareverkstedet",
"repo": "grzegorz-clients",
"type": "github"
}
},
"matrix-next": {
@@ -68,35 +107,20 @@
]
},
"locked": {
"lastModified": 1727410897,
"narHash": "sha256-tWsyxvf421ieWUJYgjV7m1eTdr2ZkO3vId7vmtvfFpQ=",
"lastModified": 1717234745,
"narHash": "sha256-MFyKRdw4WQD6V3vRGbP6MYbtJhZp712zwzjW6YiOBYM=",
"owner": "dali99",
"repo": "nixos-matrix-modules",
"rev": "ff787d410cba17882cd7b6e2e22cc88d4064193c",
"rev": "d7dc42c9bbb155c5e4aa2f0985d0df75ce978456",
"type": "github"
},
"original": {
"owner": "dali99",
"ref": "v0.6.1",
"ref": "v0.6.0",
"repo": "nixos-matrix-modules",
"type": "github"
}
},
"minecraft-data": {
"locked": {
"lastModified": 1725277886,
"narHash": "sha256-Fw4VbbE3EfypQWSgPDFfvVH47BHeg3ptsO715NlUM8Q=",
"ref": "refs/heads/master",
"rev": "1b4087bd3322a2e2ba84271c8fcc013e6b641a58",
"revCount": 2,
"type": "git",
"url": "https://git.pvv.ntnu.no/Drift/minecraft-data.git"
},
"original": {
"type": "git",
"url": "https://git.pvv.ntnu.no/Drift/minecraft-data.git"
}
},
"nix-gitea-themes": {
"inputs": {
"nixpkgs": [
@@ -119,50 +143,48 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1731779898,
"narHash": "sha256-oxxCrYZM0WNRoaokDyVXcPIlTc8Z2yX4QjKbgXGI3IM=",
"lastModified": 1719520878,
"narHash": "sha256-5BXzNOl2RVHcfS/oxaZDKOi7gVuTyWPibQG0DHd5sSc=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "9972661139e27eed0237df4dde34839e09028cd5",
"rev": "a44bedbb48c367f0476e6a3a27bf28f6330faf23",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "refs/pull/332699/merge",
"repo": "nixpkgs",
"type": "github"
"id": "nixpkgs",
"ref": "nixos-24.05-small",
"type": "indirect"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1730602179,
"narHash": "sha256-efgLzQAWSzJuCLiCaQUCDu4NudNlHdg2NzGLX5GYaEY=",
"lastModified": 1714858427,
"narHash": "sha256-tCxeDP4C1pWe2rYY3IIhdA40Ujz32Ufd4tcrHPSKx2M=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "3c2f1c4ca372622cb2f9de8016c9a0b1cbd0f37c",
"rev": "b980b91038fc4b09067ef97bbe5ad07eecca1e76",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "release-24.05",
"ref": "release-23.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1731745710,
"narHash": "sha256-SVeiClbgqL071JpAspOu0gCkPSAL51kSIRwo4C/pghA=",
"lastModified": 1715435713,
"narHash": "sha256-lb2HqDQGfTdnCCpc1pgF6fkdgIOuBQ0nP8jjVSfLFqg=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "dfaa4cb76c2d450d8f396bb6b9f43cede3ade129",
"rev": "52b40f6c4be12742b1504ca2eb4527e597bf2526",
"type": "github"
},
"original": {
"owner": "NixOS",
"id": "nixpkgs",
"ref": "nixos-unstable-small",
"repo": "nixpkgs",
"type": "github"
"type": "indirect"
}
},
"pvv-calendar-bot": {
@@ -192,11 +214,11 @@
]
},
"locked": {
"lastModified": 1725212759,
"narHash": "sha256-yZBsefIarFUEhFRj+rCGMp9Zvag3MCafqV/JfGVRVwc=",
"lastModified": 1722722932,
"narHash": "sha256-K81a2GQpY2kRX+C9ek9r91THlZB674CqRTSMMb5IO7E=",
"ref": "refs/heads/master",
"rev": "e7b66b4bc6a89bab74bac45b87e9434f5165355f",
"revCount": 473,
"rev": "6580cfe546c902cdf11e17b0b8aa30b3c412bb34",
"revCount": 465,
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
},
@@ -208,10 +230,9 @@
"root": {
"inputs": {
"disko": "disko",
"greg-ng": "greg-ng",
"grzegorz": "grzegorz",
"grzegorz-clients": "grzegorz-clients",
"matrix-next": "matrix-next",
"minecraft-data": "minecraft-data",
"nix-gitea-themes": "nix-gitea-themes",
"nixpkgs": "nixpkgs",
"nixpkgs-unstable": "nixpkgs-unstable",
@@ -220,27 +241,6 @@
"sops-nix": "sops-nix"
}
},
"rust-overlay": {
"inputs": {
"nixpkgs": [
"greg-ng",
"nixpkgs"
]
},
"locked": {
"lastModified": 1729391507,
"narHash": "sha256-as0I9xieJUHf7kiK2a9znDsVZQTFWhM1pLivII43Gi0=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "784981a9feeba406de38c1c9a3decf966d853cca",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": [
@@ -249,11 +249,11 @@
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1731748189,
"narHash": "sha256-Zd/Uukvpcu26M6YGhpbsgqm6LUSLz+Q8mDZ5LOEGdiE=",
"lastModified": 1715244550,
"narHash": "sha256-ffOZL3eaZz5Y1nQ9muC36wBCWwS1hSRLhUzlA9hV2oI=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "d2bd7f433b28db6bc7ae03d5eca43564da0af054",
"rev": "0dc50257c00ee3c65fef3a255f6564cfbfe6eb7f",
"type": "github"
},
"original": {
@@ -261,6 +261,21 @@
"repo": "sops-nix",
"type": "github"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
}
},
"root": "root",

35
flake.nix
View File

@@ -2,8 +2,8 @@
description = "PVV System flake";
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/refs/pull/332699/merge"; # remember to also update the url in base/services/auto-upgrade.nix
nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable-small";
nixpkgs.url = "nixpkgs/nixos-24.05-small";
nixpkgs-unstable.url = "nixpkgs/nixos-unstable-small";
sops-nix.url = "github:Mic92/sops-nix";
sops-nix.inputs.nixpkgs.follows = "nixpkgs";
@@ -17,18 +17,16 @@
pvv-calendar-bot.url = "git+https://git.pvv.ntnu.no/Projects/calendar-bot.git";
pvv-calendar-bot.inputs.nixpkgs.follows = "nixpkgs";
matrix-next.url = "github:dali99/nixos-matrix-modules/v0.6.1";
matrix-next.url = "github:dali99/nixos-matrix-modules/v0.6.0";
matrix-next.inputs.nixpkgs.follows = "nixpkgs";
nix-gitea-themes.url = "git+https://git.pvv.ntnu.no/oysteikt/nix-gitea-themes.git";
nix-gitea-themes.inputs.nixpkgs.follows = "nixpkgs";
greg-ng.url = "git+https://git.pvv.ntnu.no/Projects/greg-ng.git";
greg-ng.inputs.nixpkgs.follows = "nixpkgs";
grzegorz-clients.url = "git+https://git.pvv.ntnu.no/Projects/grzegorz-clients.git";
grzegorz.url = "github:Programvareverkstedet/grzegorz";
grzegorz.inputs.nixpkgs.follows = "nixpkgs-unstable";
grzegorz-clients.url = "github:Programvareverkstedet/grzegorz-clients";
grzegorz-clients.inputs.nixpkgs.follows = "nixpkgs";
minecraft-data.url = "git+https://git.pvv.ntnu.no/Drift/minecraft-data.git";
};
outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, ... }@inputs:
@@ -57,9 +55,8 @@
rec {
system = "x86_64-linux";
specialArgs = {
inherit unstablePkgs inputs;
inherit nixpkgs-unstable inputs;
values = import ./values.nix;
fp = path: ./${path};
};
modules = [
@@ -95,7 +92,6 @@
heimdal = unstablePkgs.heimdal;
mediawiki-extensions = final.callPackage ./packages/mediawiki-extensions { };
simplesamlphp = final.callPackage ./packages/simplesamlphp { };
bluemap = final.callPackage ./packages/bluemap.nix { };
})
inputs.nix-gitea-themes.overlays.default
inputs.pvv-nettsiden.overlays.default
@@ -117,28 +113,17 @@
brzeczyszczykiewicz = stableNixosConfig "brzeczyszczykiewicz" {
modules = [
inputs.grzegorz.nixosModules.grzegorz-kiosk
inputs.grzegorz-clients.nixosModules.grzegorz-webui
inputs.greg-ng.nixosModules.default
];
overlays = [
inputs.greg-ng.overlays.default
];
};
georg = stableNixosConfig "georg" {
modules = [
inputs.grzegorz.nixosModules.grzegorz-kiosk
inputs.grzegorz-clients.nixosModules.grzegorz-webui
inputs.greg-ng.nixosModules.default
];
overlays = [
inputs.greg-ng.overlays.default
];
};
kvernberg = stableNixosConfig "kvernberg" {
modules = [
disko.nixosModules.disko
{ disko.devices.disk.disk1.device = "/dev/sda"; }
];
};
buskerud = stableNixosConfig "buskerud" { };
};
nixosModules = {

10
hosts/bekkalokk/configuration.nix
View File

@@ -1,12 +1,11 @@
{ fp, pkgs, values, ... }:
{ pkgs, values, ... }:
{
imports = [
./hardware-configuration.nix
(fp /base)
(fp /misc/metrics-exporters.nix)
../../base
../../misc/metrics-exporters.nix
./services/bluemap/default.nix
./services/gitea/default.nix
./services/idp-simplesamlphp
./services/kerberos
@@ -16,10 +15,9 @@
./services/vaultwarden.nix
./services/webmail
./services/website
./services/well-known
];
sops.defaultSopsFile = fp /secrets/bekkalokk/bekkalokk.yaml;
sops.defaultSopsFile = ../../secrets/bekkalokk/bekkalokk.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true;

83
hosts/bekkalokk/services/bluemap/default.nix
View File

@@ -1,83 +0,0 @@
{ config, lib, pkgs, inputs, ... }:
let
vanillaSurvival = "/var/lib/bluemap/vanilla_survival_world";
in {
imports = [
./module.nix # From danio, pending upstreaming
];
disabledModules = [ "services/web-servers/bluemap.nix" ];
sops.secrets."bluemap/ssh-key" = { };
sops.secrets."bluemap/ssh-known-hosts" = { };
services.bluemap = {
enable = true;
eula = true;
onCalendar = "*-*-* 05:45:00"; # a little over an hour after auto-upgrade
host = "minecraft.pvv.ntnu.no";
maps = {
"verden" = {
settings = {
world = vanillaSurvival;
sorting = 0;
ambient-light = 0.1;
cave-detection-ocean-floor = -5;
marker-sets = inputs.minecraft-data.map-markers.vanillaSurvival.verden;
};
};
"underverden" = {
settings = {
world = "${vanillaSurvival}/DIM-1";
sorting = 100;
sky-color = "#290000";
void-color = "#150000";
ambient-light = 0.6;
world-sky-light = 0;
remove-caves-below-y = -10000;
cave-detection-ocean-floor = -5;
cave-detection-uses-block-light = true;
max-y = 90;
marker-sets = inputs.minecraft-data.map-markers.vanillaSurvival.underverden;
};
};
"enden" = {
settings = {
world = "${vanillaSurvival}/DIM1";
sorting = 200;
sky-color = "#080010";
void-color = "#080010";
ambient-light = 0.6;
world-sky-light = 0;
remove-caves-below-y = -10000;
cave-detection-ocean-floor = -5;
};
};
};
};
services.nginx.virtualHosts."minecraft.pvv.ntnu.no" = {
enableACME = true;
forceSSL = true;
};
# TODO: render somewhere else lmao
systemd.services."render-bluemap-maps" = {
preStart = ''
mkdir -p /var/lib/bluemap/world
${pkgs.rsync}/bin/rsync \
-e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=$CREDENTIALS_DIRECTORY/ssh-known-hosts -i $CREDENTIALS_DIRECTORY/sshkey" \
-avz --no-owner --no-group \
root@innovation.pvv.ntnu.no:/ \
${vanillaSurvival}
'';
serviceConfig = {
LoadCredential = [
"sshkey:${config.sops.secrets."bluemap/ssh-key".path}"
"ssh-known-hosts:${config.sops.secrets."bluemap/ssh-known-hosts".path}"
];
};
};
}

343
hosts/bekkalokk/services/bluemap/module.nix
View File

@@ -1,343 +0,0 @@
{ config, lib, pkgs, ... }:
let
cfg = config.services.bluemap;
format = pkgs.formats.hocon { };
coreConfig = format.generate "core.conf" cfg.coreSettings;
webappConfig = format.generate "webapp.conf" cfg.webappSettings;
webserverConfig = format.generate "webserver.conf" cfg.webserverSettings;
storageFolder = pkgs.linkFarm "storage"
(lib.attrsets.mapAttrs' (name: value:
lib.nameValuePair "${name}.conf"
(format.generate "${name}.conf" value))
cfg.storage);
mapsFolder = pkgs.linkFarm "maps"
(lib.attrsets.mapAttrs' (name: value:
lib.nameValuePair "${name}.conf"
(format.generate "${name}.conf" value.settings))
cfg.maps);
webappConfigFolder = pkgs.linkFarm "bluemap-config" {
"maps" = mapsFolder;
"storages" = storageFolder;
"core.conf" = coreConfig;
"webapp.conf" = webappConfig;
"webserver.conf" = webserverConfig;
"packs" = cfg.resourcepacks;
"addons" = cfg.resourcepacks; # TODO
};
renderConfigFolder = name: value: pkgs.linkFarm "bluemap-${name}-config" {
"maps" = pkgs.linkFarm "maps" {
"${name}.conf" = (format.generate "${name}.conf" value.settings);
};
"storages" = storageFolder;
"core.conf" = coreConfig;
"webapp.conf" = format.generate "webapp.conf" (cfg.webappSettings // { "update-settings-file" = false; });
"webserver.conf" = webserverConfig;
"packs" = value.resourcepacks;
"addons" = cfg.resourcepacks; # TODO
};
inherit (lib) mkOption;
in {
options.services.bluemap = {
enable = lib.mkEnableOption "bluemap";
eula = mkOption {
type = lib.types.bool;
description = ''
By changing this option to true you confirm that you own a copy of minecraft Java Edition,
and that you agree to minecrafts EULA.
'';
default = false;
};
defaultWorld = mkOption {
type = lib.types.path;
description = ''
The world used by the default map ruleset.
If you configure your own maps you do not need to set this.
'';
example = lib.literalExpression "\${config.services.minecraft.dataDir}/world";
};
enableRender = mkOption {
type = lib.types.bool;
description = "Enable rendering";
default = true;
};
webRoot = mkOption {
type = lib.types.path;
default = "/var/lib/bluemap/web";
description = "The directory for saving and serving the webapp and the maps";
};
enableNginx = mkOption {
type = lib.types.bool;
default = true;
description = "Enable configuring a virtualHost for serving the bluemap webapp";
};
host = mkOption {
type = lib.types.str;
default = "bluemap.${config.networking.domain}";
defaultText = lib.literalExpression "bluemap.\${config.networking.domain}";
description = "Domain to configure nginx for";
};
onCalendar = mkOption {
type = lib.types.str;
description = ''
How often to trigger rendering the map,
in the format of a systemd timer onCalendar configuration.
See {manpage}`systemd.timer(5)`.
'';
default = "*-*-* 03:10:00";
};
coreSettings = mkOption {
type = lib.types.submodule {
freeformType = format.type;
options = {
data = mkOption {
type = lib.types.path;
description = "Folder for where bluemap stores its data";
default = "/var/lib/bluemap";
};
metrics = lib.mkEnableOption "Sending usage metrics containing the version of bluemap in use";
};
};
description = "Settings for the core.conf file, [see upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/BlueMapCommon/src/main/resources/de/bluecolored/bluemap/config/core.conf).";
};
webappSettings = mkOption {
type = lib.types.submodule {
freeformType = format.type;
};
default = {
enabled = true;
webroot = cfg.webRoot;
};
defaultText = lib.literalExpression ''
{
enabled = true;
webroot = config.services.bluemap.webRoot;
}
'';
description = "Settings for the webapp.conf file, see [upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/BlueMapCommon/src/main/resources/de/bluecolored/bluemap/config/webapp.conf).";
};
webserverSettings = mkOption {
type = lib.types.submodule {
freeformType = format.type;
options = {
enabled = mkOption {
type = lib.types.bool;
description = ''
Enable bluemap's built-in webserver.
Disabled by default in nixos for use of nginx directly.
'';
default = false;
};
};
};
default = { };
description = ''
Settings for the webserver.conf file, usually not required.
[See upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/BlueMapCommon/src/main/resources/de/bluecolored/bluemap/config/webserver.conf).
'';
};
maps = mkOption {
type = lib.types.attrsOf (lib.types.submodule {
options = {
resourcepacks = mkOption {
type = lib.types.path;
default = cfg.resourcepacks;
defaultText = lib.literalExpression "config.services.bluemap.resourcepacks";
description = "A set of resourcepacks/mods to extract models from loaded in alphabetical order";
};
settings = mkOption {
type = (lib.types.submodule {
freeformType = format.type;
options = {
world = mkOption {
type = lib.types.path;
description = "Path to world folder containing the dimension to render";
};
};
});
description = ''
Settings for files in `maps/`.
See the default for an example with good options for the different world types.
For valid values [consult upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/BlueMapCommon/src/main/resources/de/bluecolored/bluemap/config/maps/map.conf).
'';
};
};
});
default = {
"overworld".settings = {
world = "${cfg.defaultWorld}";
ambient-light = 0.1;
cave-detection-ocean-floor = -5;
};
"nether".settings = {
world = "${cfg.defaultWorld}/DIM-1";
sorting = 100;
sky-color = "#290000";
void-color = "#150000";
ambient-light = 0.6;
world-sky-light = 0;
remove-caves-below-y = -10000;
cave-detection-ocean-floor = -5;
cave-detection-uses-block-light = true;
max-y = 90;
};
"end".settings = {
world = "${cfg.defaultWorld}/DIM1";
sorting = 200;
sky-color = "#080010";
void-color = "#080010";
ambient-light = 0.6;
world-sky-light = 0;
remove-caves-below-y = -10000;
cave-detection-ocean-floor = -5;
};
};
defaultText = lib.literalExpression ''
{
"overworld".settings = {
world = "''${cfg.defaultWorld}";
ambient-light = 0.1;
cave-detection-ocean-floor = -5;
};
"nether".settings = {
world = "''${cfg.defaultWorld}/DIM-1";
sorting = 100;
sky-color = "#290000";
void-color = "#150000";
ambient-light = 0.6;
world-sky-light = 0;
remove-caves-below-y = -10000;
cave-detection-ocean-floor = -5;
cave-detection-uses-block-light = true;
max-y = 90;
};
"end".settings = {
world = "''${cfg.defaultWorld}/DIM1";
sorting = 200;
sky-color = "#080010";
void-color = "#080010";
ambient-light = 0.6;
world-sky-light = 0;
remove-caves-below-y = -10000;
cave-detection-ocean-floor = -5;
};
};
'';
description = ''
map-specific configuration.
These correspond to views in the webapp and are usually
different dimension of a world or different render settings of the same dimension.
If you set anything in this option you must configure all dimensions yourself!
'';
};
storage = mkOption {
type = lib.types.attrsOf (lib.types.submodule {
freeformType = format.type;
options = {
storage-type = mkOption {
type = lib.types.enum [ "FILE" "SQL" ];
description = "Type of storage config";
default = "FILE";
};
};
});
description = ''
Where the rendered map will be stored.
Unless you are doing something advanced you should probably leave this alone and configure webRoot instead.
[See upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/tree/master/BlueMapCommon/src/main/resources/de/bluecolored/bluemap/config/storages)
'';
default = {
"file" = {
root = "${cfg.webRoot}/maps";
};
};
defaultText = lib.literalExpression ''
{
"file" = {
root = "''${config.services.bluemap.webRoot}/maps";
};
}
'';
};
resourcepacks = mkOption {
type = lib.types.path;
default = pkgs.linkFarm "resourcepacks" { };
description = ''
A set of resourcepacks/mods to extract models from loaded in alphabetical order.
Can be overriden on a per-map basis with `services.bluemap.maps.<name>.resourcepacks`.
'';
};
};
config = lib.mkIf cfg.enable {
assertions =
[ { assertion = config.services.bluemap.eula;
message = ''
You have enabled bluemap but have not accepted minecraft's EULA.
You can achieve this through setting `services.bluemap.eula = true`
'';
}
];
services.bluemap.coreSettings.accept-download = cfg.eula;
systemd.services."render-bluemap-maps" = lib.mkIf cfg.enableRender {
serviceConfig = {
Type = "oneshot";
Group = "nginx";
UMask = "026";
};
script = lib.strings.concatStringsSep "\n" ((lib.attrsets.mapAttrsToList
(name: value: "${lib.getExe pkgs.bluemap} -c ${renderConfigFolder name value} -r")
cfg.maps) ++ [ "${lib.getExe pkgs.bluemap} -c ${webappConfigFolder} -gs" ]);
};
systemd.timers."render-bluemap-maps" = lib.mkIf cfg.enableRender {
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = cfg.onCalendar;
Persistent = true;
Unit = "render-bluemap-maps.service";
};
};
services.nginx.virtualHosts = lib.mkIf cfg.enableNginx {
"${cfg.host}" = {
root = config.services.bluemap.webRoot;
locations = {
"~* ^/maps/[^/]*/tiles/".extraConfig = ''
error_page 404 = @empty;
'';
"@empty".return = "204";
};
};
};
};
meta = {
maintainers = with lib.maintainers; [ dandellion h7x4 ];
};
}

46
hosts/bekkalokk/services/gitea/default.nix
View File

@@ -1,4 +1,4 @@
{ config, values, fp, pkgs, lib, ... }:
{ config, values, pkgs, lib, ... }:
let
cfg = config.services.gitea;
domain = "git.pvv.ntnu.no";
@@ -55,11 +55,6 @@ in {
USER = "gitea@pvv.ntnu.no";
SUBJECT_PREFIX = "[pvv-git]";
};
metrics = {
ENABLED = true;
ENABLED_ISSUE_BY_LABEL = true;
ENABLED_ISSUE_BY_REPOSITORY = true;
};
indexer.REPO_INDEXER_ENABLED = true;
service = {
DISABLE_REGISTRATION = true;
@@ -104,30 +99,6 @@ in {
ENABLE_FEDERATED_AVATAR = false;
};
actions.ENABLED = true;
ui = {
REACTIONS = lib.concatStringsSep "," [
"+1"
"-1"
"laugh"
"confused"
"heart"
"hooray"
"rocket"
"eyes"
"100"
"anger"
"astonished"
"no_good"
"ok_hand"
"pensive"
"pizza"
"point_up"
"sob"
"skull"
"upside_down_face"
"shrug"
];
};
"ui.meta".DESCRIPTION = "Bokstavelig talt programvareverkstedet";
};
};
@@ -138,21 +109,12 @@ in {
forceSSL = true;
enableACME = true;
kTLS = true;
locations = {
"/" = {
locations."/" = {
proxyPass = "http://unix:${cfg.settings.server.HTTP_ADDR}";
extraConfig = ''
client_max_body_size 512M;
'';
};
"/metrics" = {
proxyPass = "http://unix:${cfg.settings.server.HTTP_ADDR}";
extraConfig = ''
allow ${values.hosts.ildkule.ipv4}/32;
deny all;
'';
};
};
};
networking.firewall.allowedTCPPorts = [ sshPort ];
@@ -173,8 +135,8 @@ in {
};
script = let
logo-svg = fp /assets/logo_blue_regular.svg;
logo-png = fp /assets/logo_blue_regular.png;
logo-svg = ../../../../assets/logo_blue_regular.svg;
logo-png = ../../../../assets/logo_blue_regular.png;
extraLinks = pkgs.writeText "gitea-extra-links.tmpl" ''
<a class="item" href="https://www.pvv.ntnu.no/">PVV</a>
<a class="item" href="https://wiki.pvv.ntnu.no/">Wiki</a>

6
hosts/bekkalokk/services/idp-simplesamlphp/default.nix
View File

@@ -202,12 +202,6 @@ in
rewrite ^/simplesaml/(.*)$ /$1 redirect;
return 404;
'';
"/robots.txt" = {
root = pkgs.writeTextDir "robots.txt" ''
User-agent: *
Disallow: /
'';
};
};
};
};

8
hosts/bekkalokk/services/mediawiki/default.nix
View File

@@ -1,4 +1,4 @@
{ pkgs, lib, fp, config, values, pkgs-unstable, ... }: let
{ pkgs, lib, config, values, pkgs-unstable, ... }: let
cfg = config.services.mediawiki;
# "mediawiki"
@@ -210,8 +210,8 @@ in {
'';
};
"= /PNG/PVV-logo.svg".alias = fp /assets/logo_blue_regular.svg;
"= /PNG/PVV-logo.png".alias = fp /assets/logo_blue_regular.png;
"= /PNG/PVV-logo.svg".alias = ../../../../assets/logo_blue_regular.svg;
"= /PNG/PVV-logo.png".alias = ../../../../assets/logo_blue_regular.png;
"= /favicon.ico".alias = pkgs.runCommandLocal "mediawiki-favicon.ico" {
buildInputs = with pkgs; [ imagemagick ];
} ''
@@ -219,7 +219,7 @@ in {
-resize x64 \
-gravity center \
-crop 64x64+0+0 \
${fp /assets/logo_blue_regular.png} \
${../../../../assets/logo_blue_regular.png} \
-flatten \
-colors 256 \
-background transparent \

10
hosts/bekkalokk/services/webmail/roundcube.nix
View File

@@ -6,11 +6,6 @@ let
domain = "webmail.pvv.ntnu.no";
in
{
sops.secrets."roundcube/postgres_password" = {
owner = "nginx";
group = "nginx";
};
services.roundcube = {
enable = true;
@@ -25,11 +20,6 @@ in
maxAttachmentSize = 20;
hostName = "roundcubeplaceholder.example.com";
database = {
host = "postgres.pvv.ntnu.no";
passwordFile = config.sops.secrets."roundcube/postgres_password".path;
};
extraConfig = ''
$config['enable_installer'] = false;
$config['default_host'] = "ssl://imap.pvv.ntnu.no";

4
hosts/bekkalokk/services/webmail/snappymail.nix
View File

@@ -1,8 +1,8 @@
{ config, lib, fp, pkgs, ... }:
{ config, lib, pkgs, ... }:
let
cfg = config.services.snappymail;
in {
imports = [ (fp /modules/snappymail.nix) ];
imports = [ ../../../../modules/snappymail.nix ];
services.snappymail = {
enable = true;

10
hosts/bekkalokk/services/website/default.nix
View File

@@ -116,6 +116,16 @@ in {
"/drift".return = "301 https://wiki.pvv.ntnu.no/wiki/Drift";
"/diverse/abuse.php".return = "301 https://wiki.pvv.ntnu.no/wiki/CERT/Abuse";
"/nerds/".return = "301 https://wiki.pvv.ntnu.no/wiki/Nerdepizza";
# Proxy the matrix well-known files
# Host has be set before proxy_pass
# The header must be set so nginx on the other side routes it to the right place
"^~ /.well-known/matrix/" = {
extraConfig = ''
proxy_set_header Host matrix.pvv.ntnu.no;
proxy_pass https://matrix.pvv.ntnu.no/.well-known/matrix/;
'';
};
};
};
}

27
hosts/bekkalokk/services/website/fetch-gallery.nix
View File

@@ -62,33 +62,6 @@ in {
WorkingDirectory = galleryDir;
User = config.services.pvv-nettsiden.user;
Group = config.services.pvv-nettsiden.group;
AmbientCapabilities = [ "" ];
CapabilityBoundingSet = [ "" ];
DeviceAllow = [ "" ];
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true; # disable for third party rotate scripts
PrivateDevices = true;
PrivateNetwork = true; # disable for mail delivery
PrivateTmp = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true; # disable for userdir logs
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "full";
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true; # disable for creating setgid directories
SocketBindDeny = [ "any" ];
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
];
};
};
}

18
hosts/bekkalokk/services/well-known/default.nix
View File

@@ -1,18 +0,0 @@
{ ... }:
{
services.nginx.virtualHosts."www.pvv.ntnu.no".locations = {
"^~ /.well-known/" = {
alias = (toString ./root) + "/";
};
# Proxy the matrix well-known files
# Host has be set before proxy_pass
# The header must be set so nginx on the other side routes it to the right place
"^~ /.well-known/matrix/" = {
extraConfig = ''
proxy_set_header Host matrix.pvv.ntnu.no;
proxy_pass https://matrix.pvv.ntnu.no/.well-known/matrix/;
'';
};
};
}

31
hosts/bekkalokk/services/well-known/root/autoconfig/mail/config-v1.1.xml
View File

@@ -1,31 +0,0 @@
<?xml version="1.0"?>
<clientConfig version="1.1">
<emailProvider id="pvv.ntnu.no">
<domain>pvv.ntnu.no</domain>
<domain>pvv.org</domain>
<displayName>Programvareverkstedet</displayName>
<incomingServer type="imap">
<hostname>imap.pvv.ntnu.no</hostname>
<port>993</port>
<socketType>SSL</socketType>
<username>%EMAILLOCALPART%</username>
<authentication>password-cleartext</authentication>
</incomingServer>
<outgoingServer type="smtp">
<hostname>smtp.pvv.ntnu.no</hostname>
<port>587</port>
<socketType>STARTTLS</socketType>
<username>%EMAILLOCALPART%</username>
<authentication>password-cleartext</authentication>
<useGlobalPreferredServer>true</useGlobalPreferredServer>
</outgoingServer>
<documentation url="https://www.pvv.ntnu.no/pvv/Drift/Mail/IMAP_POP3">
<descr lang="en">Setup programvareverkstedet email user with IMAP or POP3</descr>
<descr lang="nb">Sett opp programvareverkstedet email bruker med IMAP eller POP3</descr>
</documentation>
</emailProvider>
</clientConfig>

12
hosts/bekkalokk/services/well-known/root/security.txt
View File

@@ -1,12 +0,0 @@
Contact: mailto:drift@pvv.ntnu.no
Contact: mailto:cert@pvv.ntnu.no
# drift@pvv.ntnu.no is read by more people and have a quicker reaction time,
# but cert@pvv.ntnu.no can be used for more severe issues.
Preferred-Languages: no, en
Expires: 2032-12-31T23:59:59.000Z
# This file was last updated 2024-09-14.
# You can find a wikipage for our security policies at:
# https://wiki.pvv.ntnu.no/wiki/CERT

24
hosts/bicep/acmeCert.nix Normal file
View File

@@ -0,0 +1,24 @@
{ values, ... }:
{
users.groups.acme.members = [ "nginx" ];
security.acme.certs."postgres.pvv.ntnu.no" = {
group = "acme";
extraDomainNames = [
# "postgres.pvv.org"
"bicep.pvv.ntnu.no"
# "bicep.pvv.org"
# values.hosts.bicep.ipv4
# values.hosts.bicep.ipv6
];
};
services.nginx = {
enable = true;
virtualHosts."postgres.pvv.ntnu.no" = {
forceSSL = true;
enableACME = true;
# useACMEHost = "postgres.pvv.ntnu.no";
};
};
}

13
hosts/bicep/configuration.nix
View File

@@ -1,12 +1,14 @@
{ fp, pkgs, values, ... }:
{ pkgs, values, ... }:
{
imports = [
./hardware-configuration.nix
(fp /base)
(fp /misc/metrics-exporters.nix)
../../base
../../misc/metrics-exporters.nix
./services/nginx
./acmeCert.nix
./services/mysql.nix
./services/postgres.nix
./services/mysql.nix
@@ -15,7 +17,7 @@
./services/matrix
];
sops.defaultSopsFile = fp /secrets/bicep/bicep.yaml;
sops.defaultSopsFile = ../../secrets/bicep/bicep.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true;
@@ -34,9 +36,6 @@
anyInterface = true;
};
# There are no smart devices
services.smartd.enable = false;
# Do not change, even during upgrades.
# See https://search.nixos.org/options?show=system.stateVersion
system.stateVersion = "22.11";

6
hosts/bicep/services/calendar-bot.nix
View File

@@ -1,16 +1,16 @@
{ config, fp, lib, pkgs, ... }:
{ config, lib, pkgs, ... }:
let
cfg = config.services.pvv-calendar-bot;
in {
sops.secrets = {
"calendar-bot/matrix_token" = {
sopsFile = fp /secrets/bicep/bicep.yaml;
sopsFile = ../../../secrets/bicep/bicep.yaml;
key = "calendar-bot/matrix_token";
owner = cfg.user;
group = cfg.group;
};
"calendar-bot/mysql_password" = {
sopsFile = fp /secrets/bicep/bicep.yaml;
sopsFile = ../../../secrets/bicep/bicep.yaml;
key = "calendar-bot/mysql_password";
owner = cfg.user;
group = cfg.group;

12
hosts/bicep/services/matrix/coturn.nix
View File

@@ -1,14 +1,14 @@
{ config, lib, fp, pkgs, secrets, values, ... }:
{ config, lib, pkgs, secrets, ... }:
{
sops.secrets."matrix/synapse/turnconfig" = {
sopsFile = fp /secrets/bicep/matrix.yaml;
sopsFile = ../../../../secrets/bicep/matrix.yaml;
key = "synapse/turnconfig";
owner = config.users.users.matrix-synapse.name;
group = config.users.users.matrix-synapse.group;
};
sops.secrets."matrix/coturn/static-auth-secret" = {
sopsFile = fp /secrets/bicep/matrix.yaml;
sopsFile = ../../../../secrets/bicep/matrix.yaml;
key = "coturn/static-auth-secret";
owner = config.users.users.turnserver.name;
group = config.users.users.turnserver.group;
@@ -60,14 +60,12 @@
pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
use-auth-secret = true;
# World readable but I dont think it's that bad
static-auth-secret-file = config.sops.secrets."matrix/coturn/static-auth-secret".path;
secure-stun = true;
listening-ips = [
values.services.turn.ipv4
# values.services.turn.ipv6
];
listening-ips = [ "129.241.210.213" "2001:700:300:1900::213" ];
tls-listening-port = 443;
alt-tls-listening-port = 5349;

1
hosts/bicep/services/matrix/default.nix
View File

@@ -10,7 +10,6 @@
./mjolnir.nix
./discord.nix
./hookshot
];

46
hosts/bicep/services/matrix/discord.nix
View File

@@ -1,4 +1,4 @@
{ config, lib, fp, ... }:
{ config, lib, ... }:
let
cfg = config.services.mx-puppet-discord;
@@ -6,42 +6,15 @@ in
{
users.groups.keys-matrix-registrations = { };
sops.secrets."matrix/discord/as_token" = {
sopsFile = fp /secrets/bicep/matrix.yaml;
key = "discord/as_token";
};
sops.secrets."matrix/discord/hs_token" = {
sopsFile = fp /secrets/bicep/matrix.yaml;
key = "discord/hs_token";
};
sops.templates."discord-registration.yaml" = {
sops.secrets."matrix/registrations/mx-puppet-discord" = {
sopsFile = ../../../../secrets/bicep/matrix.yaml;
key = "registrations/mx-puppet-discord";
owner = config.users.users.matrix-synapse.name;
group = config.users.groups.keys-matrix-registrations.name;
content = ''
as_token: "${config.sops.placeholder."matrix/discord/as_token"}"
hs_token: "${config.sops.placeholder."matrix/discord/hs_token"}"
id: discord-puppet
namespaces:
users:
- exclusive: true
regex: '@_discordpuppet_.*'
rooms: []
aliases:
- exclusive: true
regex: '#_discordpuppet_.*'
protocols: []
rate_limited: false
sender_localpart: _discordpuppet_bot
url: 'http://localhost:8434'
de.sorunome.msc2409.push_ephemeral: true
'';
};
systemd.services.mx-puppet-discord = {
serviceConfig.SupplementaryGroups = [
config.users.groups.keys-matrix-registrations.name
];
serviceConfig.SupplementaryGroups = [ config.users.groups.keys-matrix-registrations.name ];
};
@@ -56,16 +29,11 @@ in
relay.whitelist = [ ".*" ];
selfService.whitelist = [ "@danio:pvv\\.ntnu\\.no" "@dandellion:dodsorf\\.as" ];
};
services.mx-puppet-discord.serviceDependencies = [
"matrix-synapse.target"
"nginx.service"
];
services.mx-puppet-discord.serviceDependencies = [ "matrix-synapse.target" "nginx.service" ];
services.matrix-synapse-next.settings = {
app_service_config_files = [
config.sops.templates."discord-registration.yaml".path
];
app_service_config_files = [ config.sops.secrets."matrix/registrations/mx-puppet-discord".path ];
use_appservice_legacy_authorization = true;
};

139
hosts/bicep/services/matrix/hookshot/default.nix
View File

@@ -1,139 +0,0 @@
{ config, lib, fp, unstablePkgs, inputs, ... }:
let
cfg = config.services.matrix-hookshot;
webhookListenAddress = "127.0.0.1";
webhookListenPort = 8435;
in
{
imports = [
./module.nix
];
sops.secrets."matrix/hookshot/as_token" = {
sopsFile = fp /secrets/bicep/matrix.yaml;
key = "hookshot/as_token";
};
sops.secrets."matrix/hookshot/hs_token" = {
sopsFile = fp /secrets/bicep/matrix.yaml;
key = "hookshot/hs_token";
};
sops.templates."hookshot-registration.yaml" = {
owner = config.users.users.matrix-synapse.name;
group = config.users.groups.keys-matrix-registrations.name;
content = ''
id: matrix-hookshot
as_token: "${config.sops.placeholder."matrix/hookshot/as_token"}"
hs_token: "${config.sops.placeholder."matrix/hookshot/hs_token"}"
namespaces:
rooms: []
users:
- regex: "@_webhooks_.*:pvv.ntnu.no"
exclusive: true
- regex: "@bot_feeds:pvv.ntnu.no"
exclusive: true
aliases: []
sender_localpart: hookshot
url: "http://${cfg.settings.bridge.bindAddress}:${toString cfg.settings.bridge.port}"
rate_limited: false
# If enabling encryption
de.sorunome.msc2409.push_ephemeral: true
push_ephemeral: true
org.matrix.msc3202: true
'';
};
systemd.services.matrix-hookshot = {
serviceConfig.SupplementaryGroups = [
config.users.groups.keys-matrix-registrations.name
];
};
services.matrix-hookshot = {
enable = true;
package = unstablePkgs.matrix-hookshot;
registrationFile = config.sops.templates."hookshot-registration.yaml".path;
settings = {
bridge = {
bindAddress = "127.0.0.1";
domain = "pvv.ntnu.no";
url = "https://matrix.pvv.ntnu.no";
mediaUrl = "https://matrix.pvv.ntnu.no";
port = 9993;
};
listeners = [
{
bindAddress = webhookListenAddress;
port = webhookListenPort;
resources = [
"webhooks"
# "metrics"
# "provisioning"
"widgets"
];
}
];
generic = {
enabled = true;
outbound = true;
urlPrefix = "https://hookshot.pvv.ntnu.no/webhook/";
userIdPrefix = "_webhooks_";
allowJsTransformationFunctions = false;
waitForComplete = false;
};
feeds = {
enabled = true;
pollIntervalSeconds = 600;
};
serviceBots = [
{ localpart = "bot_feeds";
displayname = "Aya";
avatar = ./feeds.png;
prefix = "!aya";
service = "feeds";
}
];
permissions = [
# Users of the PVV Server
{ actor = "pvv.ntnu.no";
services = [ { service = "*"; level = "commands"; } ];
}
# Members of Medlem space (for people with their own hs)
{ actor = "!pZOTJQinWyyTWaeOgK:pvv.ntnu.no";
services = [ { service = "*"; level = "commands"; } ];
}
# Members of Drift
{ actor = "!eYgeufLrninXxQpYml:pvv.ntnu.no";
services = [ { service = "*"; level = "admin"; } ];
}
# Dan bootstrap
{ actor = "@dandellion:dodsorf.as";
services = [ { service = "*"; level = "admin"; } ];
}
];
};
};
services.matrix-hookshot.serviceDependencies = [
"matrix-synapse.target"
"nginx.service"
];
services.matrix-synapse-next.settings = {
app_service_config_files = [
config.sops.templates."hookshot-registration.yaml".path
];
};
services.nginx.virtualHosts."hookshot.pvv.ntnu.no" = {
enableACME = true;
locations."/" = {
proxyPass = "http://${webhookListenAddress}:${toString webhookListenPort}";
};
};
}

BIN
hosts/bicep/services/matrix/hookshot/feeds.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 1.1 MiB

127
hosts/bicep/services/matrix/hookshot/module.nix
View File

@@ -1,127 +0,0 @@
{
config,
pkgs,
lib,
...
}:
let
cfg = config.services.matrix-hookshot;
settingsFormat = pkgs.formats.yaml { };
configFile = settingsFormat.generate "matrix-hookshot-config.yml" cfg.settings;
in
{
options = {
services.matrix-hookshot = {
enable = lib.mkEnableOption "matrix-hookshot, a bridge between Matrix and project management services";
package = lib.mkPackageOption pkgs "matrix-hookshot" { };
registrationFile = lib.mkOption {
type = lib.types.path;
description = ''
Appservice registration file.
As it contains secret tokens, you may not want to add this to the publicly readable Nix store.
'';
example = lib.literalExpression ''
pkgs.writeText "matrix-hookshot-registration" \'\'
id: matrix-hookshot
as_token: aaaaaaaaaa
hs_token: aaaaaaaaaa
namespaces:
rooms: []
users:
- regex: "@_webhooks_.*:foobar"
exclusive: true
sender_localpart: hookshot
url: "http://localhost:9993"
rate_limited: false
\'\'
'';
};
settings = lib.mkOption {
description = ''
{file}`config.yml` configuration as a Nix attribute set.
For details please see the [documentation](https://matrix-org.github.io/matrix-hookshot/latest/setup/sample-configuration.html).
'';
example = {
bridge = {
domain = "example.com";
url = "http://localhost:8008";
mediaUrl = "https://example.com";
port = 9993;
bindAddress = "127.0.0.1";
};
listeners = [
{
port = 9000;
bindAddress = "0.0.0.0";
resources = [ "webhooks" ];
}
{
port = 9001;
bindAddress = "localhost";
resources = [
"metrics"
"provisioning"
];
}
];
};
default = { };
type = lib.types.submodule {
freeformType = settingsFormat.type;
options = {
passFile = lib.mkOption {
type = lib.types.path;
default = "/var/lib/matrix-hookshot/passkey.pem";
description = ''
A passkey used to encrypt tokens stored inside the bridge.
File will be generated if not found.
'';
};
};
};
};
serviceDependencies = lib.mkOption {
type = with lib.types; listOf str;
default = lib.optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnit;
defaultText = lib.literalExpression ''
lib.optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnit
'';
description = ''
List of Systemd services to require and wait for when starting the application service,
such as the Matrix homeserver if it's running on the same host.
'';
};
};
};
config = lib.mkIf cfg.enable {
systemd.services.matrix-hookshot = {
description = "a bridge between Matrix and multiple project management services";
wantedBy = [ "multi-user.target" ];
wants = [ "network-online.target" ] ++ cfg.serviceDependencies;
after = [ "network-online.target" ] ++ cfg.serviceDependencies;
preStart = ''
if [ ! -f '${cfg.settings.passFile}' ]; then
mkdir -p $(dirname '${cfg.settings.passFile}')
${pkgs.openssl}/bin/openssl genpkey -out '${cfg.settings.passFile}' -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:4096
fi
'';
serviceConfig = {
Type = "simple";
Restart = "always";
ExecStart = "${cfg.package}/bin/matrix-hookshot ${configFile} ${cfg.registrationFile}";
};
};
};
meta.maintainers = with lib.maintainers; [ flandweber ];
}

4
hosts/bicep/services/matrix/mjolnir.nix
View File

@@ -1,8 +1,8 @@
{ config, lib, fp, ... }:
{ config, lib, ... }:
{
sops.secrets."matrix/mjolnir/access_token" = {
sopsFile = fp /secrets/bicep/matrix.yaml;
sopsFile = ../../../../secrets/bicep/matrix.yaml;
key = "mjolnir/access_token";
owner = config.users.users.mjolnir.name;
group = config.users.users.mjolnir.group;

20
hosts/bicep/services/matrix/synapse.nix
View File

@@ -1,4 +1,4 @@
{ config, lib, fp, pkgs, values, inputs, ... }:
{ config, lib, pkgs, values, inputs, ... }:
let
cfg = config.services.matrix-synapse-next;
@@ -10,18 +10,23 @@ let
in {
sops.secrets."matrix/synapse/signing_key" = {
key = "synapse/signing_key";
sopsFile = fp /secrets/bicep/matrix.yaml;
sopsFile = ../../../../secrets/bicep/matrix.yaml;
owner = config.users.users.matrix-synapse.name;
group = config.users.users.matrix-synapse.group;
};
sops.secrets."matrix/synapse/user_registration" = {
sopsFile = fp /secrets/bicep/matrix.yaml;
sopsFile = ../../../../secrets/bicep/matrix.yaml;
key = "synapse/signing_key";
owner = config.users.users.matrix-synapse.name;
group = config.users.users.matrix-synapse.group;
};
sops.secrets."matrix/sliding-sync/env" = {
sopsFile = ../../../../secrets/bicep/matrix.yaml;
key = "sliding-sync/env";
};
services.matrix-synapse-next = {
enable = true;
@@ -38,6 +43,8 @@ in {
workers.eventPersisters = 2;
workers.useUserDirectoryWorker = true;
enableSlidingSync = true;
enableNginx = true;
settings = {
@@ -130,6 +137,9 @@ in {
};
};
services.matrix-synapse.sliding-sync.environmentFile = config.sops.secrets."matrix/sliding-sync/env".path;
services.redis.servers."".enable = true;
services.nginx.virtualHosts."matrix.pvv.ntnu.no" = lib.mkMerge [
@@ -172,6 +182,8 @@ in {
extraConfig = ''
allow ${values.hosts.ildkule.ipv4};
allow ${values.hosts.ildkule.ipv6};
allow ${values.hosts.ildkule.ipv4_global};
allow ${values.hosts.ildkule.ipv6_global};
deny all;
'';
})
@@ -183,6 +195,8 @@ in {
extraConfig = ''
allow ${values.hosts.ildkule.ipv4};
allow ${values.hosts.ildkule.ipv6};
allow ${values.hosts.ildkule.ipv4_global};
allow ${values.hosts.ildkule.ipv6_global};
deny all;
'';
};

62
hosts/bicep/services/mysql.nix
View File

@@ -1,4 +1,7 @@
{ pkgs, lib, config, values, ... }:
let
backupDir = "/var/lib/mysql/backups";
in
{
sops.secrets."mysql/password" = {
owner = "mysql";
@@ -36,11 +39,6 @@
}];
};
services.mysqlBackup = {
enable = true;
location = "/var/lib/mysql/backups";
};
networking.firewall.allowedTCPPorts = [ 3306 ];
systemd.services.mysql.serviceConfig = {
@@ -50,4 +48,58 @@
values.ipv6-space
];
};
# NOTE: instead of having the upstream nixpkgs postgres backup unit trigger
# another unit, it was easier to just make one ourselves
systemd.services."backup-mysql" = {
description = "Backup MySQL data";
requires = [ "mysql.service" ];
path = [
pkgs.coreutils
pkgs.rsync
pkgs.gzip
config.services.mysql.package
];
script = let
rotations = 10;
# rsyncTarget = "root@isvegg.pvv.ntnu.no:/mnt/backup1/bicep/mysql";
rsyncTarget = "/data/backup/mysql";
in ''
set -eo pipefail
mysqldump --all-databases | gzip -c -9 --rsyncable > "${backupDir}/$(date --iso-8601)-dump.sql.gz"
while [ $(ls -1 "${backupDir}" | wc -l) -gt ${toString rotations} ]; do
rm $(find "${backupDir}" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)
done
rsync -avz --delete "${backupDir}" '${rsyncTarget}'
'';
serviceConfig = {
Type = "oneshot";
User = "mysql";
Group = "mysql";
UMask = "0077";
Nice = 19;
IOSchedulingClass = "best-effort";
IOSchedulingPriority = 7;
ReadWritePaths = [
backupDir
"/data/backup/mysql" # NOTE: should not be part of this option once rsyncTarget is remote
];
};
startAt = "*-*-* 02:15:00";
};
systemd.tmpfiles.settings."10-mysql-backup".${backupDir}.d = {
user = "mysql";
group = "mysql";
mode = "700";
};
}

61
hosts/bicep/services/postgres.nix
View File

@@ -1,4 +1,7 @@
{ config, pkgs, ... }:
{ config, pkgs, lib, ... }:
let
backupDir = "/var/lib/postgresql/backups";
in
{
services.postgresql = {
enable = true;
@@ -90,9 +93,57 @@
networking.firewall.allowedTCPPorts = [ 5432 ];
networking.firewall.allowedUDPPorts = [ 5432 ];
services.postgresqlBackup = {
enable = true;
location = "/var/lib/postgres/backups";
backupAll = true;
# NOTE: instead of having the upstream nixpkgs postgres backup unit trigger
# another unit, it was easier to just make one ourselves
systemd.services."backup-postgresql" = {
description = "Backup PostgreSQL data";
requires = [ "postgresql.service" ];
path = [
pkgs.coreutils
pkgs.rsync
pkgs.gzip
config.services.postgresql.package
];
script = let
rotations = 10;
# rsyncTarget = "root@isvegg.pvv.ntnu.no:/mnt/backup1/bicep/postgresql";
rsyncTarget = "/data/backup/postgresql";
in ''
set -eo pipefail
pg_dumpall -U postgres | gzip -c -9 --rsyncable > "${backupDir}/$(date --iso-8601)-dump.sql.gz"
while [ $(ls -1 "${backupDir}" | wc -l) -gt ${toString rotations} ]; do
rm $(find "${backupDir}" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)
done
rsync -avz --delete "${backupDir}" '${rsyncTarget}'
'';
serviceConfig = {
Type = "oneshot";
User = "postgres";
Group = "postgres";
UMask = "0077";
Nice = 19;
IOSchedulingClass = "best-effort";
IOSchedulingPriority = 7;
ReadWritePaths = [
backupDir
"/data/backup/postgresql" # NOTE: should not be part of this option once rsyncTarget is remote
];
};
startAt = "*-*-* 01:15:00";
};
systemd.tmpfiles.settings."10-postgresql-backup".${backupDir}.d = {
user = "postgres";
group = "postgres";
mode = "700";
};
}

10
hosts/bob/configuration.nix
View File

@@ -1,16 +1,16 @@
{ config, fp, pkgs, values, ... }:
{ config, pkgs, values, ... }:
{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
(fp /base)
(fp /misc/metrics-exporters.nix)
../../base
../../misc/metrics-exporters.nix
./disks.nix
(fp /misc/builder.nix)
../../misc/builder.nix
];
sops.defaultSopsFile = fp /secrets/bob/bob.yaml;
sops.defaultSopsFile = ../../secrets/bob/bob.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true;

6
hosts/brzeczyszczykiewicz/configuration.nix
View File

@@ -1,10 +1,10 @@
{ config, fp, pkgs, values, ... }:
{ config, pkgs, values, ... }:
{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
(fp /base)
(fp /misc/metrics-exporters.nix)
../../base
../../misc/metrics-exporters.nix
./services/grzegorz.nix
];

4
hosts/brzeczyszczykiewicz/services/grzegorz.nix
View File

@@ -1,6 +1,6 @@
{ config, fp, ... }:
{ config, ... }:
{
imports = [ (fp /modules/grzegorz.nix) ];
imports = [ ../../../modules/grzegorz.nix ];
services.nginx.virtualHosts."${config.networking.fqdn}" = {
serverAliases = [

38
hosts/buskerud/configuration.nix Normal file
View File

@@ -0,0 +1,38 @@
{ config, pkgs, values, ... }:
{
imports = [
./hardware-configuration.nix
../../base
../../misc/metrics-exporters.nix
./services/libvirt.nix
];
# buskerud does not support efi?
# boot.loader.systemd-boot.enable = true;
# boot.loader.efi.canTouchEfiVariables = true;
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/sdb";
networking.hostName = "buskerud";
networking.search = [ "pvv.ntnu.no" "pvv.org" ];
networking.nameservers = [ "129.241.0.200" "129.241.0.201" ];
networking.tempAddresses = "disabled";
systemd.network.networks."enp3s0f0" = values.defaultNetworkConfig // {
matchConfig.Name = "enp3s0f0";
address = with values.hosts.buskerud; [ (ipv4 + "/25") (ipv6 + "/64") ];
};
# List packages installed in system profile
environment.systemPackages = with pkgs; [
];
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "23.05"; # Did you read the comment?
}

37
hosts/buskerud/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,37 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ata_piix" "hpsa" "usb_storage" "usbhid" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/ed9654fe-575a-4fb3-b6ff-1b059479acff";
fsType = "ext4";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp14s0f0.useDHCP = lib.mkDefault true;
# networking.interfaces.enp14s0f1.useDHCP = lib.mkDefault true;
# networking.interfaces.enp3s0f0.useDHCP = lib.mkDefault true;
# networking.interfaces.enp3s0f1.useDHCP = lib.mkDefault true;
# networking.interfaces.enp4s0f0.useDHCP = lib.mkDefault true;
# networking.interfaces.enp4s0f1.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

10
hosts/buskerud/services/libvirt.nix Normal file
View File

@@ -0,0 +1,10 @@
{ config, pkgs, lib, ... }:
{
virtualisation.libvirtd.enable = true;
programs.dconf.enable = true;
boot.kernelModules = [ "kvm-intel" ];
# On a gui-enabled machine, connect with:
# $ virt-manager --connect "qemu+ssh://buskerud/system?socket=/var/run/libvirt/libvirt-sock"
}

8
hosts/georg/configuration.nix
View File

@@ -1,12 +1,12 @@
{ config, fp, pkgs, values, ... }:
{ config, pkgs, values, ... }:
{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
(fp /base)
(fp /misc/metrics-exporters.nix)
../../base
../../misc/metrics-exporters.nix
(fp /modules/grzegorz.nix)
../../modules/grzegorz.nix
];
boot.loader.systemd-boot.enable = true;

46
hosts/ildkule/configuration.nix
View File

@@ -1,16 +1,16 @@
{ config, fp, pkgs, lib, values, ... }:
{ config, pkgs, values, ... }:
{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
(fp /base)
(fp /misc/metrics-exporters.nix)
../../base
../../misc/metrics-exporters.nix
./services/monitoring
./services/nginx
];
sops.defaultSopsFile = fp /secrets/ildkule/ildkule.yaml;
sops.defaultSopsFile = ../../secrets/ildkule/ildkule.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true;
@@ -19,37 +19,33 @@
boot.tmp.cleanOnBoot = true;
zramSwap.enable = true;
# Openstack Neutron and systemd-networkd are not best friends, use something else:
systemd.network.enable = lib.mkForce false;
networking = let
hostConf = values.hosts.ildkule;
in {
hostName = "ildkule";
tempAddresses = "disabled";
useDHCP = lib.mkForce true;
networking.hostName = "ildkule"; # Define your hostname.
search = values.defaultNetworkConfig.domains;
nameservers = values.defaultNetworkConfig.dns;
defaultGateway.address = hostConf.ipv4_internal_gw;
# Main connection, using the global/floatig IP, for communications with the world
systemd.network.networks."30-ntnu-global" = values.openstackGlobalNetworkConfig // {
matchConfig.Name = "ens4";
interfaces."ens4" = {
ipv4.addresses = [
{ address = hostConf.ipv4; prefixLength = 32; }
{ address = hostConf.ipv4_internal; prefixLength = 24; }
];
ipv6.addresses = [
{ address = hostConf.ipv6; prefixLength = 64; }
# Add the global addresses in addition to the local address learned from DHCP
addresses = [
{ addressConfig.Address = "${values.hosts.ildkule.ipv4_global}/32"; }
{ addressConfig.Address = "${values.hosts.ildkule.ipv6_global}/128"; }
];
};
# Secondary connection only for use within the university network
systemd.network.networks."40-ntnu-internal" = values.openstackLocalNetworkConfig // {
matchConfig.Name = "ens3";
# Add the ntnu-internal addresses in addition to the local address learned from DHCP
addresses = [
{ addressConfig.Address = "${values.hosts.ildkule.ipv4}/32"; }
{ addressConfig.Address = "${values.hosts.ildkule.ipv6}/128"; }
];
};
# List packages installed in system profile
environment.systemPackages = with pkgs; [
];
# No devices with SMART
services.smartd.enable = false;
system.stateVersion = "23.11"; # Did you read the comment?
}

9
hosts/ildkule/hardware-configuration.nix
View File

@@ -3,14 +3,7 @@
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
boot.initrd.kernelModules = [ "nvme" ];
fileSystems."/" = {
device = "/dev/disk/by-uuid/e35eb4ce-aac3-4f91-8383-6e7cd8bbf942";
fsType = "ext4";
};
fileSystems."/data" = {
device = "/dev/disk/by-uuid/0a4c1234-02d3-4b53-aeca-d95c4c8d534b";
fsType = "ext4";
};
fileSystems."/" = { device = "/dev/vda1"; fsType = "ext4"; };
networking.useDHCP = lib.mkDefault true;
}

1546
hosts/ildkule/services/monitoring/dashboards/gitea-dashbaord.json
View File

File diff suppressed because it is too large Load Diff

6
hosts/ildkule/services/monitoring/grafana.nix
View File

@@ -75,12 +75,6 @@ in {
url = "https://grafana.com/api/dashboards/240/revisions/3/download";
options.path = dashboards/go-processes.json;
}
{
name = "Gitea Dashbaord";
type = "file";
url = "https://grafana.com/api/dashboards/17802/revisions/3/download";
options.path = dashboards/gitea-dashbaord.json;
}
];
};

13
hosts/ildkule/services/monitoring/loki.nix
View File

@@ -2,7 +2,6 @@
let
cfg = config.services.loki;
stateDir = "/data/monitoring/loki";
in {
services.loki = {
enable = true;
@@ -17,7 +16,7 @@ in {
ingester = {
wal = {
enabled = true;
dir = "${stateDir}/wal";
dir = "/var/lib/loki/wal";
};
lifecycler = {
address = "127.0.0.1";
@@ -49,12 +48,12 @@ in {
storage_config = {
boltdb_shipper = {
active_index_directory = "${stateDir}/boltdb-shipper-index";
cache_location = "${stateDir}/boltdb-shipper-cache";
active_index_directory = "/var/lib/loki/boltdb-shipper-index";
cache_location = "/var/lib/loki/boltdb-shipper-cache";
cache_ttl = "24h";
};
filesystem = {
directory = "${stateDir}/chunks";
directory = "/var/lib/loki/chunks";
};
};
@@ -65,14 +64,14 @@ in {
};
compactor = {
working_directory = "${stateDir}/compactor";
working_directory = "/var/lib/loki/compactor";
};
# ruler = {
# storage = {
# type = "local";
# local = {
# directory = "${stateDir}/rules";
# directory = "/var/lib/loki/rules";
# };
# };
# rule_path = "/etc/loki/rules";

14
hosts/ildkule/services/monitoring/prometheus/default.nix
View File

@@ -1,26 +1,18 @@
{ config, ... }: let
stateDir = "/data/monitoring/prometheus";
in {
{ config, ... }: {
imports = [
./gitea.nix
./gogs.nix
./matrix-synapse.nix
# TODO: enable once https://github.com/NixOS/nixpkgs/pull/242365 gets merged
# ./mysqld.nix
./node.nix
./postgres.nix
./machines.nix
];
services.prometheus = {
enable = true;
listenAddress = "127.0.0.1";
port = 9001;
ruleFiles = [ rules/synapse-v2.rules ];
};
fileSystems."/var/lib/prometheus2" = {
device = stateDir;
options = [ "bind" ];
};
}

16
hosts/ildkule/services/monitoring/prometheus/gitea.nix
View File

@@ -1,16 +0,0 @@
{ ... }:
{
services.prometheus.scrapeConfigs = [{
job_name = "gitea";
scrape_interval = "60s";
scheme = "https";
static_configs = [
{
targets = [
"git.pvv.ntnu.no:443"
];
}
];
}];
}

16
hosts/ildkule/services/monitoring/prometheus/gogs.nix Normal file
View File

@@ -0,0 +1,16 @@
{ config, ... }: let
cfg = config.services.prometheus;
in {
services.prometheus.scrapeConfigs = [{
job_name = "git-gogs";
scheme = "https";
metrics_path = "/-/metrics";
static_configs = [
{
targets = [
"essendrop.pvv.ntnu.no:443"
];
}
];
}];
}

54
hosts/ildkule/services/monitoring/prometheus/machines.nix
View File

@@ -1,54 +0,0 @@
{ config, ... }: let
cfg = config.services.prometheus;
in {
services.prometheus.scrapeConfigs = [{
job_name = "base_info";
static_configs = [
{ labels.hostname = "ildkule";
targets = [
"ildkule.pvv.ntnu.no:${toString cfg.exporters.node.port}"
"ildkule.pvv.ntnu.no:${toString cfg.exporters.systemd.port}"
];
}
{ labels.hostname = "bekkalokk";
targets = [
"bekkalokk.pvv.ntnu.no:9100"
"bekkalokk.pvv.ntnu.no:9101"
];
}
{ labels.hostname = "bicep";
targets = [
"bicep.pvv.ntnu.no:9100"
"bicep.pvv.ntnu.no:9101"
];
}
{ labels.hostname = "brzeczyszczykiewicz";
targets = [
"brzeczyszczykiewicz.pvv.ntnu.no:9100"
"brzeczyszczykiewicz.pvv.ntnu.no:9101"
];
}
{ labels.hostname = "georg";
targets = [
"georg.pvv.ntnu.no:9100"
"georg.pvv.ntnu.no:9101"
];
}
{ labels.hostname = "hildring";
targets = [
"hildring.pvv.ntnu.no:9100"
];
}
{ labels.hostname = "isvegg";
targets = [
"isvegg.pvv.ntnu.no:9100"
];
}
{ labels.hostname = "microbel";
targets = [
"microbel.pvv.ntnu.no:9100"
];
}
];
}];
}

22
hosts/ildkule/services/monitoring/prometheus/node.nix Normal file
View File

@@ -0,0 +1,22 @@
{ config, ... }: let
cfg = config.services.prometheus;
in {
services.prometheus.scrapeConfigs = [{
job_name = "node";
static_configs = [
{
targets = [
"ildkule.pvv.ntnu.no:${toString cfg.exporters.node.port}"
"microbel.pvv.ntnu.no:9100"
"isvegg.pvv.ntnu.no:9100"
"knakelibrak.pvv.ntnu.no:9100"
"hildring.pvv.ntnu.no:9100"
"bicep.pvv.ntnu.no:9100"
"essendrop.pvv.ntnu.no:9100"
"andresbu.pvv.ntnu.no:9100"
"bekkalokk.pvv.ntnu.no:9100"
];
}
];
}];
}

6
hosts/ildkule/services/monitoring/uptime-kuma.nix
View File

@@ -2,7 +2,6 @@
let
cfg = config.services.uptime-kuma;
domain = "status.pvv.ntnu.no";
stateDir = "/data/monitoring/uptime-kuma";
in {
services.uptime-kuma = {
enable = true;
@@ -18,9 +17,4 @@ in {
kTLS = true;
locations."/".proxyPass = "http://${cfg.settings.HOST}:${cfg.settings.PORT}";
};
fileSystems."/var/lib/uptime-kuma" = {
device = stateDir;
options = [ "bind" ];
};
}

45
hosts/kvernberg/configuration.nix
View File

@@ -1,45 +0,0 @@
{ config, fp, pkgs, values, ... }:
{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
(fp /base)
(fp /misc/metrics-exporters.nix)
./disks.nix
./services/nginx.nix
./services/pvvvvvv
];
sops.defaultSopsFile = fp /secrets/kvernberg/kvernberg.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true;
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "kvernberg"; # Define your hostname.
systemd.network.networks."30-all" = values.defaultNetworkConfig // {
matchConfig.Name = "en*";
address = with values.hosts.kvernberg; [ (ipv4 + "/25") (ipv6 + "/64") ];
};
# List packages installed in system profile
environment.systemPackages = with pkgs; [
];
# No devices with SMART
services.smartd.enable = false;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "24.05"; # Did you read the comment?
}

39
hosts/kvernberg/disks.nix
View File

@@ -1,39 +0,0 @@
# Example to create a bios compatible gpt partition
{ lib, ... }:
{
disko.devices = {
disk.disk1 = {
device = lib.mkDefault "/dev/sda";
type = "disk";
content = {
type = "gpt";
partitions = {
boot = {
name = "boot";
size = "1M";
type = "EF02";
};
esp = {
name = "ESP";
size = "500M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
};
root = {
name = "root";
size = "100%";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/";
};
};
};
};
};
};
}

26
hosts/kvernberg/hardware-configuration.nix
View File

@@ -1,26 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.ens18.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

5
hosts/kvernberg/services/nginx.nix
View File

@@ -1,5 +0,0 @@
{ config, lib, ... }:
{
services.nginx.enable = true;
}

51
hosts/kvernberg/services/pvvvvvv/bank.nix
View File

@@ -1,51 +0,0 @@
{ config, lib, pkgs, ... }:
let
cfg = config.services.libeufin.bank;
tcfg = config.services.taler;
inherit (tcfg.settings.taler) CURRENCY;
in {
services.libeufin.bank = {
enable = true;
debug = true;
createLocalDatabase = true;
initialAccounts = [
{ username = "exchange";
password = "exchange";
name = "Exchange";
}
];
settings = {
libeufin-bank = {
WIRE_TYPE = "x-taler-bank";
X_TALER_BANK_PAYTO_HOSTNAME = "bank.kvernberg.pvv.ntnu.no";
BASE_URL = "bank.kvernberg.pvv.ntnu.no/";
ALLOW_REGISTRATION = "yes";
REGISTRATION_BONUS_ENABLED = "yes";
REGISTRATION_BONUS = "${CURRENCY}:500";
DEFAULT_DEBT_LIMIT = "${CURRENCY}:0";
ALLOW_CONVERSION = "no";
ALLOW_EDIT_CASHOUT_PAYTO_URI = "yes";
SUGGESTED_WITHDRAWAL_EXCHANGE = "https://exchange.kvernberg.pvv.ntnu.no/";
inherit CURRENCY;
};
};
};
services.nginx.virtualHosts."bank.kvernberg.pvv.ntnu.no" = {
enableACME = true;
forceSSL = true;
kTLS = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8082";
extraConfig = ''
proxy_read_timeout 300s;
'';
};
};
}

13
hosts/kvernberg/services/pvvvvvv/default.nix
View File

@@ -1,13 +0,0 @@
{
imports = [
./exchange.nix
./bank.nix
];
services.taler = {
settings = {
taler.CURRENCY = "SCHPENN";
taler.CURRENCY_ROUND_UNIT = "${cfg.settings.taler.CURRENCY}:1";
};
};
}

187
hosts/kvernberg/services/pvvvvvv/exchange.nix
View File

@@ -1,187 +0,0 @@
{ config, lib, fp, pkgs, ... }:
let
cfg = config.services.taler;
inherit (cfg.settings.taler) CURRENCY;
in {
sops.secrets.exchange-offline-master = {
format = "binary";
sopsFile = fp /secrets/kvernberg/exhange-offline-master.priv;
};
services.taler.exchange = {
enable = true;
debug = true;
denominationConfig = ''
## Old denomination names cannot be used again
# [COIN-${CURRENCY}-k1-1-0]
## NOK Denominations
[coin-${CURRENCY}-nok-1-0]
VALUE = ${CURRENCY}:1
DURATION_WITHDRAW = 7 days
DURATION_SPEND = 1 years
DURATION_LEGAL = 3 years
FEE_WITHDRAW = ${CURRENCY}:0
FEE_DEPOSIT = ${CURRENCY}:0
FEE_REFRESH = ${CURRENCY}:0
FEE_REFUND = ${CURRENCY}:0
RSA_KEYSIZE = 2048
CIPHER = RSA
[coin-${CURRENCY}-nok-5-0]
VALUE = ${CURRENCY}:5
DURATION_WITHDRAW = 7 days
DURATION_SPEND = 1 years
DURATION_LEGAL = 3 years
FEE_WITHDRAW = ${CURRENCY}:0
FEE_DEPOSIT = ${CURRENCY}:0
FEE_REFRESH = ${CURRENCY}:0
FEE_REFUND = ${CURRENCY}:0
RSA_KEYSIZE = 2048
CIPHER = RSA
[coin-${CURRENCY}-nok-10-0]
VALUE = ${CURRENCY}:10
DURATION_WITHDRAW = 7 days
DURATION_SPEND = 1 years
DURATION_LEGAL = 3 years
FEE_WITHDRAW = ${CURRENCY}:0
FEE_DEPOSIT = ${CURRENCY}:0
FEE_REFRESH = ${CURRENCY}:0
FEE_REFUND = ${CURRENCY}:0
RSA_KEYSIZE = 2048
CIPHER = RSA
[coin-${CURRENCY}-nok-20-0]
VALUE = ${CURRENCY}:20
DURATION_WITHDRAW = 7 days
DURATION_SPEND = 1 years
DURATION_LEGAL = 3 years
FEE_WITHDRAW = ${CURRENCY}:0
FEE_DEPOSIT = ${CURRENCY}:0
FEE_REFRESH = ${CURRENCY}:0
FEE_REFUND = ${CURRENCY}:0
RSA_KEYSIZE = 2048
CIPHER = RSA
[coin-${CURRENCY}-nok-50-0]
VALUE = ${CURRENCY}:50
DURATION_WITHDRAW = 7 days
DURATION_SPEND = 1 years
DURATION_LEGAL = 3 years
FEE_WITHDRAW = ${CURRENCY}:0
FEE_DEPOSIT = ${CURRENCY}:0
FEE_REFRESH = ${CURRENCY}:0
FEE_REFUND = ${CURRENCY}:0
RSA_KEYSIZE = 2048
CIPHER = RSA
[coin-${CURRENCY}-nok-100-0]
VALUE = ${CURRENCY}:100
DURATION_WITHDRAW = 7 days
DURATION_SPEND = 1 years
DURATION_LEGAL = 3 years
FEE_WITHDRAW = ${CURRENCY}:0
FEE_DEPOSIT = ${CURRENCY}:0
FEE_REFRESH = ${CURRENCY}:0
FEE_REFUND = ${CURRENCY}:0
RSA_KEYSIZE = 2048
CIPHER = RSA
[coin-${CURRENCY}-nok-200-0]
VALUE = ${CURRENCY}:200
DURATION_WITHDRAW = 7 days
DURATION_SPEND = 1 years
DURATION_LEGAL = 3 years
FEE_WITHDRAW = ${CURRENCY}:0
FEE_DEPOSIT = ${CURRENCY}:0
FEE_REFRESH = ${CURRENCY}:0
FEE_REFUND = ${CURRENCY}:0
RSA_KEYSIZE = 2048
CIPHER = RSA
[coin-${CURRENCY}-nok-500-0]
VALUE = ${CURRENCY}:500
DURATION_WITHDRAW = 7 days
DURATION_SPEND = 1 years
DURATION_LEGAL = 3 years
FEE_WITHDRAW = ${CURRENCY}:0
FEE_DEPOSIT = ${CURRENCY}:0
FEE_REFRESH = ${CURRENCY}:0
FEE_REFUND = ${CURRENCY}:0
RSA_KEYSIZE = 2048
CIPHER = RSA
[coin-${CURRENCY}-nok-1000-0]
VALUE = ${CURRENCY}:1000
DURATION_WITHDRAW = 7 days
DURATION_SPEND = 1 years
DURATION_LEGAL = 3 years
FEE_WITHDRAW = ${CURRENCY}:0
FEE_DEPOSIT = ${CURRENCY}:0
FEE_REFRESH = ${CURRENCY}:0
FEE_REFUND = ${CURRENCY}:0
RSA_KEYSIZE = 2048
CIPHER = RSA
## PVV Special Prices
# 2024 pizza egenandel
[coin-${CURRENCY}-pvv-64-0]
VALUE = ${CURRENCY}:64
DURATION_WITHDRAW = 7 days
DURATION_SPEND = 1 years
DURATION_LEGAL = 3 years
FEE_WITHDRAW = ${CURRENCY}:0
FEE_DEPOSIT = ${CURRENCY}:0
FEE_REFRESH = ${CURRENCY}:0
FEE_REFUND = ${CURRENCY}:0
RSA_KEYSIZE = 2048
CIPHER = RSA
'';
settings = {
exchange = {
inherit (config.services.taler.settings.taler) CURRENCY CURRENCY_ROUND_UNIT;
MASTER_PUBLIC_KEY = "J331T37C8E58P9CVE686P1JFH11DWSRJ3RE4GVDTXKES9M24ERZG";
BASE_URL = "https://exchange.kvernberg.pvv.ntnu.no/";
TERMS_DIR = "${./terms}";
TERMS_ETAG = "0";
ENABLE_KYC = "NO";
};
exchange-offline = {
MASTER_PRIV_FILE = config.sops.secrets.exchange-offline-master.path;
};
exchange-account-test = {
PAYTO_URI = "payto://x-taler-bank/bank.kvernberg.pvv.ntnu.no/exchange?receiver-name=Exchange";
ENABLE_DEBIT = "YES";
ENABLE_CREDIT = "YES";
};
exchange-accountcredentials-test = {
WIRE_GATEWAY_URL = "https://bank.kvernberg.pvv.ntnu.no/accounts/exchange/taler-wire-gateway/";
WIRE_GATEWAY_AUTH_METHOD = "BASIC";
USERNAME = "exchange";
PASSWORD = "exchange";
};
"currency-${CURRENCY}" = {
ENABLED = "YES";
CODE = "SCHPENN";
NAME = "SCHPENN";
FRACTIONAL_NORMAL_DIGITS = 0;
FRACTIONAL_INPUT_DIGITS = 0;
FRACTIONAL_TRAILING_ZERO_DIGITS = 0;
ALT_UNIT_NAMES = "{\"0\": \"S\"}";
};
};
};
services.nginx.virtualHosts."exchange.kvernberg.pvv.ntnu.no" = {
enableACME = true;
forceSSL = true;
kTLS = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8081";
extraConfig = ''
proxy_read_timeout 300s;
'';
};
};
}

147
hosts/kvernberg/services/pvvvvvv/terms/en/0.txt
View File

@@ -1,147 +0,0 @@
Terms of Service
================
Last update: 19.11.2024
----------------------
Welcome! A subset of PVVers who cares about Dibbler (“we,” “our,” or “us”) provides a experimental payment service
through our Internet presence (collectively the “Services”). Before using our
Services, please read the Terms of Service (the “Terms” or the “Agreement”)
carefully.
Overview
--------
This section provides a brief summary of the highlights of this
Agreement. Please note that when you accept this Agreement, you are accepting
all of the terms and conditions and not just this section. We and possibly
other third parties provide Internet services which interact with the Taler
Wallets self-hosted personal payment application. When using the Taler Wallet
to interact with our Services, you are agreeing to our Terms, so please read
carefully.
Research
----------
This is research, any dibbler credits sent to the dibbler account could be lost at any time.
We would make an effort to send the credits back to their canonical owners, but this may be difficult.
We make no guarantees on the state of this. The dibbler economy is totally unsecured, and so are these services!
Usage is wholly on your own risk.
Highlights:
-----------
* You are responsible for keeping the data in your Taler Wallet at all times under your control. Any losses arising from you not being in control of your private information are your problem.
* For our Services, we may charge transaction fees. The specific fee structure is provided based on the Taler protocol and should be shown to you when you withdraw electronic coins using a Taler Wallet. You agree and understand that the Taler protocol allows for the fee structure to change.
* You agree to not intentionally overwhelm our systems with requests and follow responsible disclosure if you find security issues in our services.
* We cannot be held accountable for our Services not being available due to circumstances beyond our control. If we modify or terminate our services, we will try to give you the opportunity to recover your funds. However, given the experimental state of the Services today, this may not be possible. You are strongly advised to limit your use of the Service to small-scale experiments expecting total loss of all funds.
These terms outline approved uses of our Services. The Services and these
Terms are still at an experimental stage. If you have any questions or
comments related to this Agreement, please send us a message on IRC, or on our Matrix server.
If you do not agree to this Agreement, you must not use our Services.
How you accept this policy
--------------------------
By sending funds to us (to top-up your Taler Wallet), you acknowledge that you
have read, understood, and agreed to these Terms. We reserve the right to
change these Terms at any time. If you disagree with the change, we may in the
future offer you with an easy option to recover your unspent funds. However,
in the current experimental period you acknowledge that this feature is not
yet available, resulting in your funds being lost unless you accept the new
Terms. If you continue to use our Services other than to recover your unspent
funds, your continued use of our Services following any such change will
signify your acceptance to be bound by the then current Terms. Please check
the effective date above to determine if there have been any changes since you
have last reviewed these Terms.
Services
--------
We will try to transfer funds that we hold in escrow for our users to any
legal recipient to the best of our ability and within the limitations of the
law and our implementation. However, the Services offered today are highly
experimental and the set of recipients of funds is severely restricted. The
Taler Wallet can be loaded by exchanging ordinary dibbler credit for electronic
coins. We are providing this exchange service. Once your Taler Wallet is
loaded with electronic coins they can be spent for purchases if the seller is
accepting Taler as a means of payment. We are not guaranteeing that any seller
is accepting Taler at all or a particular seller. The seller or recipient of
deposits of electronic coins must specify the target account, as per the
design of the Taler protocol. They are responsible for following the protocol
and specifying the correct dibbler account, and are solely liable for any losses
that may arise from specifying the wrong account. We will allow the government
to link wire transfers to the underlying contract hash. It is the
responsibility of recipients to preserve the full contracts and to pay
whatever taxes and charges may be applicable. Technical issues may lead to
situations where we are unable to make transfers at all or lead to incorrect
transfers that cannot be reversed. We will only refuse to execute transfers if
the transfers are prohibited by a competent legal authority and we are ordered
to do so.
When using our Services, you agree to not take any action that intentionally
imposes an unreasonable load on our infrastructure. If you find security
problems in our Services, you agree to first report them to
security@taler-systems.com and grant us the right to publish your report. We
warrant that we will ourselves publicly disclose any issues reported within 3
months, and that we will not prosecute anyone reporting security issues if
they did not exploit the issue beyond a proof-of-concept, and followed the
above responsible disclosure practice.
Fees
----
You agree to pay the fees for exchanges and withdrawals completed via the
Taler Wallet ("Fees") as defined by us, which we may change from time to
time.
Copyrights and trademarks
-------------------------
The Taler Wallet is released under the terms of the GNU General Public License
(GNU GPL). You have the right to access, use, and share the Taler Wallet, in
modified or unmodified form. However, the GPL is a strong copyleft license,
which means that any derivative works must be distributed under the same
license terms as the original software. If you have any questions, you should
review the GNU GPLs full terms and conditions on the GNU GPL Licenses page
(https://www.gnu.org/licenses/). “Taler” itself is a trademark
of Taler Systems SA. You are welcome to use the name in relation to processing
payments based on the Taler protocol, assuming your use is compatible with an
official release from the GNU Project that is not older than two years.
Discontinuance of services and Force majeure
--------------------------------------------
We may, in our sole discretion and without cost to you, with or without prior
notice, and at any time, modify or discontinue, temporarily or permanently,
any portion of our Services. We will use the Taler protocols provisions to
notify Wallets if our Services are to be discontinued. It is your
responsibility to ensure that the Taler Wallet is online at least once every
three months to observe these notifications. We shall not be held responsible
or liable for any loss of funds in the event that we discontinue or depreciate
the Services and your Taler Wallet fails to transfer out the coins within a
three months notification period.
We shall not be held liable for any delays, failure in performance, or
interruptions of service which result directly or indirectly from any cause or
condition beyond our reasonable control, including but not limited to: any
delay or failure due to any act of God, act of civil or military authorities,
act of terrorism, civil disturbance, war, strike or other labor dispute, fire,
interruption in telecommunications or Internet services or network provider
services, failure of equipment and/or software, other catastrophe, or any
other occurrence which is beyond our reasonable control and shall not affect
the validity and enforceability of any remaining provisions.
Questions or comments
---------------------
We welcome comments, questions, concerns, or suggestions. Please send us a
message via the usual communication channels at PVV

8
hosts/shark/configuration.nix
View File

@@ -1,13 +1,13 @@
{ config, fp, pkgs, values, ... }:
{ config, pkgs, values, ... }:
{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
(fp /base)
(fp /misc/metrics-exporters.nix)
../../base
../../misc/metrics-exporters.nix
];
sops.defaultSopsFile = fp /secrets/shark/shark.yaml;
sops.defaultSopsFile = ../../secrets/shark/shark.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true;

2
justfile
View File

@@ -18,7 +18,7 @@ run-vm machine=`just _a_machine`:
nix eval .#inputs --apply builtins.attrNames --json \
| jq '.[]' -r \
| gum choose --no-limit --height=15 \
| xargs -L 1 nix flake lock --update-input
| xargs nix flake update --commit-lock-file
_a_machine:

24
misc/metrics-exporters.nix
View File

@@ -14,31 +14,13 @@
"::1"
values.hosts.ildkule.ipv4
values.hosts.ildkule.ipv6
values.hosts.ildkule.ipv4_global
values.hosts.ildkule.ipv6_global
];
};
services.prometheus.exporters.systemd = {
enable = true;
port = 9101;
extraFlags = [
"--systemd.collector.enable-restart-count"
"--systemd.collector.enable-ip-accounting"
];
};
systemd.services.prometheus-systemd-exporter.serviceConfig = {
IPAddressDeny = "any";
IPAddressAllow = [
"127.0.0.1"
"::1"
values.hosts.ildkule.ipv4
values.hosts.ildkule.ipv6
];
};
networking.firewall.allowedTCPPorts = [ 9100 9101 ];
networking.firewall.allowedTCPPorts = [ 9100 ];
services.promtail = {
enable = true;

44
modules/grzegorz.nix
View File

@@ -1,26 +1,31 @@
{config, lib, pkgs, ...}:
let
grg = config.services.greg-ng;
grg = config.services.grzegorz;
grgw = config.services.grzegorz-webui;
in {
services.greg-ng = {
enable = true;
settings.host = "localhost";
settings.port = 31337;
enableSway = true;
enablePipewire = true;
services.pipewire.enable = true;
services.pipewire.alsa.enable = true;
services.pipewire.alsa.support32Bit = true;
services.pipewire.pulse.enable = true;
users.users.pvv = {
isNormalUser = true;
description = "pvv";
};
services.grzegorz-webui = {
enable = true;
listenAddr = "localhost";
listenPort = 42069;
listenWebsocketPort = 42042;
hostName = "${config.networking.fqdn}";
apiBase = "http://${grg.settings.host}:${toString grg.settings.port}/api";
};
services.grzegorz.enable = true;
services.grzegorz.listenAddr = "localhost";
services.grzegorz.listenPort = 31337;
services.grzegorz-webui.enable = true;
services.grzegorz-webui.listenAddr = "localhost";
services.grzegorz-webui.listenPort = 42069;
services.grzegorz-webui.listenWebsocketPort = 42042;
services.grzegorz-webui.hostName = "${config.networking.fqdn}";
services.grzegorz-webui.apiBase = "http://${toString grg.listenAddr}:${toString grg.listenPort}/api";
services.nginx.enable = true;
services.nginx.virtualHosts."${config.networking.fqdn}" = {
forceSSL = true;
enableACME = true;
@@ -35,19 +40,20 @@ in {
'';
locations."/" = {
proxyPass = "http://${grgw.listenAddr}:${toString grgw.listenPort}";
proxyPass = "http://localhost:${builtins.toString config.services.grzegorz-webui.listenPort}";
};
# https://github.com/rawpython/remi/issues/216
locations."/websocket" = {
proxyPass = "http://${grgw.listenAddr}:${toString grgw.listenWebsocketPort}";
proxyPass = "http://localhost:${builtins.toString config.services.grzegorz-webui.listenWebsocketPort}";
proxyWebsockets = true;
};
locations."/api" = {
proxyPass = "http://${grg.settings.host}:${toString grg.settings.port}";
proxyPass = "http://localhost:${builtins.toString config.services.grzegorz.listenPort}";
};
locations."/docs" = {
proxyPass = "http://${grg.settings.host}:${toString grg.settings.port}";
proxyPass = "http://localhost:${builtins.toString config.services.grzegorz.listenPort}";
};
};
}

30
packages/bluemap.nix
View File

@@ -1,30 +0,0 @@
{ lib, stdenvNoCC, fetchurl, makeWrapper, jre }:
stdenvNoCC.mkDerivation rec {
pname = "bluemap";
version = "5.2";
src = fetchurl {
url = "https://github.com/BlueMap-Minecraft/BlueMap/releases/download/v${version}/BlueMap-${version}-cli.jar";
hash = "sha256-4vld+NBwzBxdwbMtsKuqvO6immkbh4HB//6wdjXaxoU=";
};
dontUnpack = true;
nativeBuildInputs = [ makeWrapper ];
installPhase = ''
runHook preInstall
makeWrapper ${jre}/bin/java $out/bin/bluemap --add-flags "-jar $src"
runHook postInstall
'';
meta = {
description = "3D minecraft map renderer";
homepage = "https://bluemap.bluecolored.de/";
sourceProvenance = with lib.sourceTypes; [ binaryBytecode ];
license = lib.licenses.mit;
maintainers = with lib.maintainers; [ dandellion ];
mainProgram = "bluemap";
};
}

11
secrets/bekkalokk/bekkalokk.yaml
View File

@@ -18,8 +18,6 @@ mediawiki:
postgres_password: ENC[AES256_GCM,data:FzykBVtJbA+Bey1GE5VqnSuv2GeobH1j,iv:wayQH3+y0FYFkr3JjmulI53SADk0Ikur/2mUS5kFrTk=,tag:d+nQ/se2bDA5aaQfBicnPQ==,type:str]
cookie_salt: ENC[AES256_GCM,data:BioRPAvL4F9ORBJDFdqHot81RhVpAOf32v1ah3pvOLq8E88bxGyKFQZxAwpIL3UkWQIsWMnEerm5MEMYL1C2OQ==,iv:yMVqiPTQ8hO1IVAax6PIkD0V9YTOEunwDTtnGcmy6Kc=,tag:Z4+bZF4olLlkx7YpXeQiUw==,type:str]
admin_password: ENC[AES256_GCM,data:4eUXvcO7NLOWke9XShfKzj+x3FvqPONa,iv:3iZ+BTBTZ7yMJ0HT14cEMebKZattWUcYEevRsl/6WOk=,tag:CU0iDhPP2ndztdX5U5A4cw==,type:str]
roundcube:
postgres_password: ENC[AES256_GCM,data:fGHmq6r/ZCeIseHL8/gmm5DfWQYorI3OJq1TW0EHvh7rHL62M4TE+Lrlrmq8AIlmGLSWtO8AQzOP3toxidL6xWX3pcwLxtTefa1gom2oQf6ZL4TbAZLidHksdiro6pWtpMOO66bb8O9eXvZmns4=,iv:Irnb2/bgx8WilDyRLleWfo6HHafZ+vlDEwxIcgm1f18=,tag:eTNBUELmLwO7DsQN9CLX7Q==,type:str]
idp:
cookie_salt: ENC[AES256_GCM,data:cyV6HDCPHKQIa8T1+rFBFh6EuHtG5B508lg6uFYENK7qVpYuiTUIokdVQhY8SRLs2mECx/ampgnUHxCRB/Cc/A==,iv:QRrRUhzRQrLkmg38rrYtCEfF8U4/7ZHZUDSEq++BlbI=,tag:fLqFSLd+CKqJvmCh1fx8vg==,type:str]
admin_password: ENC[AES256_GCM,data:Vf33Oenk6x6BIij1uW8RQDjTPcKhUVYA,iv:RNeyCNpTAYdBPrZwE3Y6CCjoAML/3XUvjfJCrr06IEU=,tag:zVOrx1oXnEyr/VwFCFaCDQ==,type:str]
@@ -34,9 +32,6 @@ nettsiden:
admin_password: ENC[AES256_GCM,data:SADr/zN3F0tW339kSK1nD9Pb38rw7hz8,iv:s5jgl1djXd5JKwx1WG/w2Q4STMMpjJP91qxOwAoNcL0=,tag:N8bKnO9N0ei06HDkSGt6XQ==,type:str]
vaultwarden:
environ: ENC[AES256_GCM,data:CST5I8x8qAkrTy/wbMLL6aFSPDPIU7aWsD1L1MnIATRmk7fcUhfTSFds7quJmIpb2znsIT/WxNI/V/7UW+9ZdPKI64hfPR8MtvrJcbOhU5Fe2IiytFymFbhcOgWAXjbGzs7knQmpfMxSl98sU71oLkRuFdkousdnh4VQFZhUCYM=,iv:Is6xQ7DGdcAQgrrXCS9NbJk67O2uR82rbKOXBTzZHWw=,tag:XVEjCEM5t8qJl6jL89zrkw==,type:str]
bluemap:
ssh-key: ENC[AES256_GCM,data:nPwsT4RYbMbGp2MChLUh6NXW4ckYr7SQcd6Gy2G8CEU+ugew5pt4d6GOK1fyekspDtet3EkPL2F1AsoPFBB2Rv0boARMslAhBqwWSsbBJTXeTEgAABSMxTPJRBtfJucvv426nyIj3uApoknz6mDCQh1OI6mER0fis7MPaM1506HlDlnIT0FV9EairEsaAmbd0yddByGJSccKIza2vW0qWqrz83P+xrakEONxFz0fJlkO5PRXCcQJVBCqWQfnaHNrWeBWv0QA7vAHlT0yjqJCpDRxN2KYrPWsz7sUbB4UZOtykCRM5kKFq73GUaOKqVECJQhcJi6tERhpJELwjjS8MSqvBD90UTKTshGugfuygTaOyUx4wou3atxMR2Rah9+uZ6mBrLAOLX3JKiAtyhFewPMWjd/UhbMPuzNageVBNz2EMpa4POSVwz5MyViKNSgr9cPcNGqmrnjvr/W/lnj6Ec+W80RiXQlADSE4Q6diLLwB9nlHvKs8NTDgv6sUafcPHpJ2+N4Jkb96dE14bMffQ385SI4vLDcQ8xCQ,iv:WdJIHRzjlm8bEldolCx1Q7pZJvjxGkNZALSOy3IjizU=,tag:5ZAikiqttq/76+thG+4LMw==,type:str]
ssh-known-hosts: ENC[AES256_GCM,data:J6V+NJ9TvYUL2gmcqWWYt8X+n0M7i0RpDpBelWAbFMH64+e9ztHNnC491sm+RogDxqKk0kwQyX2Mz00iq3Gc3wDYyozGOdv3tBKrp7/LcfjUQ9T9hi0yTD3eNV0LAjlAWMTdlW65VGHqGst8ncKbUuVxbBASVlh3A321toZgD+xxUAtNz7qKFa6fDbOS0xLD1+CmTwVp+aPos//QIKzjuk1HqxfBNK82maKtD4JHPS+Y3be2wIEjGWq3H6JYN/RDojD88D/jzo9RwvEjpqLXoOVfy8uX/fbEsgkgfAmPiaG+ePCnchSExEe3a6Y0E+I6YIzvP+tGThJpu4HaT/yW2Rww/jvsxKrXSUhtBZI/SIX5ZAIFB3sFjJXQefJjfNpQTQWhbspLfdemafGaRiDnzVgKDhNL1HNMNsXKDfWa0SLs4//dqerom/QCCNsaqV+4HVzv5x44srChGERadQI/Wh4UG2R19xxbdyIsKPHzv7BhEKufJkjc5upBjWygQrGAkTRHugFpw2Tdkz9yUQSujMkaeRKhVkA+ZUAjwnY5TwqNZBj7U3K2JXoNVHAq194XmrA2dNghh0OmRrvKGwM3HKexX22SXT0bPlpdWRQpMbUgV+uHLMerlDpNMFTIueEBkaF/FWeSW2N5WUrUb1uJ91QcJ8JBgN1riuD1Oxv9RRPrY9VVNJMrYjpAAREN8i8brMTOCJ35s7jnqIei0dNmnNXOoQZPs9kUMeEtUc/Df1E8/aO2Y4yU9gHUuevXnAJWFAiu2IxssgPk6CcNxvapJEmlwkLK/JyuDsWwFxVOHfw5QIEsoDVWXt6eMhquqUgzJI1q7QrTWUQsBb5A5sQKYWQHempOaXuQn1bzA7mU3Gzsr8bNNc6tpy+6j3zTXYR067EX00yqPG+kqRn4QVIuhByxXP3cwXLUG9uD1lsqWrGzs6WCnHr7txhRBXf4WbBVmXModO3uf36cDYEwrUa6yBsARtSl8PJ0UadfY/xULcT5PFvu9+Hi2qj3vp4IU3JCJa9AvXB+11pbSdawprjuDhwQtPwkJ4CQyvZsom3/BOrmwYM5+EyMDIluEQ0z6eDE5buiIVbX6IvXnDCKbrnqVwavX2wqyiDduFLjRfWL/3U2O1yRim78smrDMJABJZvtW+a+GfmlnTd/gnFvS70Fmm/lgtY051ISL/iFx6toJRoBMMiI/Zvy13uQry+w/HbyFl42DIank8tf7kuN3E9M7ADGMubRJJ0AZOcQddrFnR4Gl2nU2+3RS5fLHaBf9QHK6W92/n//xmPkYqrkPacew4eBjUqM32jVGuBpDc964fK9kdtIdw8q5P1s/ph3I79Y24kGeuO1AVJuZvkaTv1Z7GgI9+K9TstKJ9XpRCidLpLSP+uHOWkqcNsQlt6ilTlfHj+MKoD85dKZ315QMmpiuYEvzCSP1aYTb9dpd61Su/IVuM3r2NuINNEZ166YlHQVsLNpDn8E5ahk3ZInOAg6/kaKTmjUI8KEvX4BR3PbbViAlJJb3suJ0oZBGPUlrW5uLRmADvf2mMDVO5zY7/m9DQwxjt4Miu0l8ZaUc0YJQ850lBKucQ==,iv:GI8w7h7xX8gMHuAoWUyrW+BQb85LNlASoYvGBPlCZaI=,tag:WnHNMevfFSMc0ikBZwWn/g==,type:str]
sops:
kms: []
gcp_kms: []
@@ -97,8 +92,8 @@ sops:
UHpLRkdQTnhkeGlWVG9VS1hkWktyckEKAdwnA9URLYZ50lMtXrU9Q09d0L3Zfsyr
4UsvjjdnFtsXwEZ9ZzOQrpiN0Oz24s3csw5KckDni6kslaloJZsLGg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-10-12T21:56:27Z"
mac: ENC[AES256_GCM,data:bZ1BbVC6D+B6SFze2ReeCUcQamK/O14zH3YxCjWBwMC++w3niIiEx4Bq7Ulci5yuMld0luVsfUzHoqFN/+zvZbV2rGVk8lVRiTrpFoSZ78aUUgeHG9ROLXsR7T7rVhLWbl86y1G5LcKws7G55V0wAh6f58WjYYzwR8fnBmfW1Ko=,iv:7xtMdtXQB9uZirE/CkUSmeu0qnG++R7DUR7zn/Bo0lM=,tag:DH/BJPpAp//quDqKNXyHcg==,type:str]
lastmodified: "2024-08-26T19:38:58Z"
mac: ENC[AES256_GCM,data:3FyfZPmJ7znQEul+IwqN1ZaM53n6os3grquJwJ9vfyDSc2h8UZBhqYG+2uW9Znp9DSIjuhCUI8iqGKRJE0M/6IDICeXms/5+ynVFOS9bA2cdzPvWaj0FFAd2x3g4Vhs47+vRlsnIe/tMiKU3IOvzOfI6KAUHc9L2ySrzH7z2+fo=,iv:1iZSR9qOIEtf+fNbtWSwJBIUEQGKadfHSVOnkFzOwq8=,tag:Sk6JEU1B6Rd1GXLYC6rQtQ==,type:str]
pgp:
- created_at: "2024-08-04T00:03:28Z"
enc: |-
@@ -121,4 +116,4 @@ sops:
-----END PGP MESSAGE-----
fp: F7D37890228A907440E1FD4846B9228E814A2AAC
unencrypted_suffix: _unencrypted
version: 3.9.1
version: 3.9.0

16
secrets/bicep/matrix.yaml
View File

@@ -2,16 +2,14 @@ synapse:
turnconfig: ENC[AES256_GCM,data:mASRjYa4C9WRow4x0XYRrlCE5LMJUYaId+o62r1qhsyJPa2LzrI=,iv:5vYdubvMDjLS6soiWx2DzkEAATb9NFbSS/Jhuuz1yI8=,tag:wOW07CQMDbOiZNervee/pg==,type:str]
user_registration: ENC[AES256_GCM,data:ZDZfEEvyw8pg0WzhrdC8747ed+ZR2ZA8/WypJd/iDkmIy2RmxOeI0sE=,iv:l61mOlvzpCql4fC/eubBSU6px21et2WcpxQ6rFl14iw=,tag:sVDEAa3xipKIi/6isCjWew==,type:str]
signing_key: ENC[AES256_GCM,data:6UpfiRlX9pRM7zhdm7Mc8y8EItLzugWkHSgE0tGpEmudCTa1wc60oNbYfhKDWU81DT/U148pZOoX1A==,iv:UlqCPicPm5eNBz1xBMI3A3Rn4t/GtldNIDdMH5MMnLw=,tag:HHaw6iMjEAv5b9mjHSVpwA==,type:str]
sliding-sync:
env: ENC[AES256_GCM,data:DsU1qKTy5sn06Y0S5kFUqZHML20n6HdHUdXsQRUw,iv:/TNTc+StAZbf6pBY9CeXdxkx8E+3bak/wOqHyBNMprU=,tag:er5u4FRlSmUZrOT/sj+RhQ==,type:str]
coturn:
static-auth-secret: ENC[AES256_GCM,data:y5cG/LyrorkDH+8YrgcV7DY=,iv:ca90q2J3+NOy51mUBy4TMKfYMgWL4hxWDdsKIuxRBgU=,tag:hpFCns1lpi07paHyGB7tGQ==,type:str]
mjolnir:
access_token: ENC[AES256_GCM,data:ERFqZjK7MRD0xWt91FNCIxP1YC6Qj54QgnckHlCTtcQVLWaM1h2h9lHS+K8=,iv:1d7vmFkXAPcsmumzlmOT31amdrKLWtL5sJiS8G9g+LE=,tag:2l0vWzJ6P12ofuBdf5CCWw==,type:str]
discord:
as_token: ENC[AES256_GCM,data:cnPZjBbODZUA1p0kLNeWpKh1oGkDPxDw/g7163XnoRCIgpqk,iv:Uu4L36uDPMBgzdXE2Lt9U0qrBSl3Xuufh1313BD8B/U=,tag:nTm6s7IGd4vNzZ95mfxDpA==,type:str]
hs_token: ENC[AES256_GCM,data:UzcaNsJtJPKvFT4gQDNfat0nmyJzmQ6OcSI73pANibzOVrWl,iv:ujgRM2jb1rbeloPB4UPLBEvQ7uue4a+bHiqsZAHIqtk=,tag:uIfuaTWSTeVvpQx5o28HPA==,type:str]
hookshot:
as_token: ENC[AES256_GCM,data:L4vEw5r4RhcgritOeDTLHN5E/dM=,iv:pC8BLzxf6NaVAGsotoq6chOceBVdMLvrsQn1LGw9H9w=,tag:SI3CDFHAvgQZEvf/oms3EA==,type:str]
hs_token: ENC[AES256_GCM,data:2ufSJfYzzAB5IO+edwKSra5d/+M=,iv:cmTycGzNL+IeRRKZGbkhTtiksYTtbxED0k0B5haFw7k=,tag:FmWe5sGi9rlapUeAE6lKvg==,type:str]
registrations:
mx-puppet-discord: ENC[AES256_GCM,data:FleyXxgOmc05nTP6M2DBJlacufN3p/05eZm4kB8+K4ci0k24o3zli988wlM/kyeZmxu4pgQlJ3lNLte4uip2hBXHWG5t5Ldzmr7bNCUD+r7nM+I1lfNkrDROPZ54bHysmn9O5CHpEa16rSo6RJgncIPqsLJxTwjC7qZlkOpzqvMhkq/MHCVOpvg0M/6AUR+AlSZoggujBMoXLznQNQapN13foEsbuo/QxjszM/ObGmhYMVyaS+TDBXzQLA8Yuj50Q/gZCIINWZ4G2qmgsGxxNR4I+usUQml/jxCtIXS4zn/ettXfL9G4Fdm2F9u1v11DehtTGa5xoxDq94M9rIxOqeJpvgEQEyyKAyFUIrlINfGl7tAj4Zu7+9Z8JTRAnppjM1q8iInwn/Z2L9KgB0YFi/Go1whgXly+TH6hpreo7m5klXV/ff/aV3ghOgFCGA8nBrZFqE8Uw268q9tV1s1dxCb6TbpGf19V5c9MD6BsCIVeoq+j9I/I8iZpzg2Reb4IlHhMDwbwsL2w2ks30wiZ9XO/CFrXDY4uBlI=,iv:3vvkGvldS8Raibg6tzlV8VY1O9NCLxSuNX/lwi1QgiA=,tag:D/noIsE3xlOiYM6Pk+cc8Q==,type:str]
sops:
kms: []
gcp_kms: []
@@ -72,8 +70,8 @@ sops:
WEh5NFN6SFF1TlltdWFWTGw4MHRHUkUKrKIvC87xjEmwxPQhH8dN+ZuaJTCgPY28
pR62KxmoKFICLTHPpYP3euiAx5M9BWvgvCnA/US/5klpk8MtlreNFA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-10-13T23:30:01Z"
mac: ENC[AES256_GCM,data:vdsAZmg7gPqzeucBhLhPemtRVkcxRecIdB6PXZ4paU+Uv5UorBKcTZ3jseN2cLi6ot3ycTIm+UI6uhlCy87vAJVynVJhuJS+ICFRS2+DfoVyuttLjZQGC2sr3+dEBHxIH7sZJSo9PIzbIWw3qHrpOPAZj0//1pFyp/k15k3vidM=,iv:jWtV+WAPt08lgdrVvtXOl35rDB4QflkZWuGBW1+ESyw=,tag:YxSHncZZOAW5uDxXtb/krw==,type:str]
lastmodified: "2023-10-22T00:31:46Z"
mac: ENC[AES256_GCM,data:UpnaUfRxvdyzBy5x4EC3w5LQ1qWxILTQhpyVPd9whTzQMAivAHT0pVmP9aE4T9w3NcWTaghp+f70GmQXx/OCC6DsRCWtU9pFHRj12YUowM3yB5lVTOomOLZQ9m4gUXw5I2GZHWBJn8CyosDcBMlXz2tiR91v/8Ulh6sDSAO86U0=,iv:5GcgRvbpqDEslZruKHM/TcMaF52A5X7AK41DEbrsRIQ=,tag:ndDgCRyX1aDRnzEUNmpoMw==,type:str]
pgp:
- created_at: "2024-08-04T00:03:46Z"
enc: |-
@@ -96,4 +94,4 @@ sops:
-----END PGP MESSAGE-----
fp: F7D37890228A907440E1FD4846B9228E814A2AAC
unencrypted_suffix: _unencrypted
version: 3.8.1
version: 3.7.3

24
secrets/kvernberg/exhange-offline-master.priv
View File

@@ -1,24 +0,0 @@
{
"data": "ENC[AES256_GCM,data:dhVo1B+ZG1B6s0bTLgph4ipPmi0mveaObbJAffDQbpY=,iv:P5plvu4DQYa99cQZQ6B/gEFcSffu3lTY3+Z80Cfoj94=,tag:4xcqCbn6fFSmCbYmmEgQEg==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": [
{
"recipient": "age19rlntxt0m27waa0n288g9wgpksa6ndlzz8eneeqya7w3zd7may0sqzhcvz",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5MzVHSE15Nk9MODQxc2g0\nbHlqNmFKclBYbUNKQTNUOGo0VThiaEZTVzJFCmU2YkYwMXlyeHM3ZzAxOWZpa3k4\nUUJLanVFbkNMa25RcGZmOTBsVmtzazQKLS0tIE1sTTBqT3VJMDFOYXl0T1JvcDRV\nRFpsZGNOZzFzMFc3YzcxeXdIK1d6QUUKzy0n7DJsOmrNvU03Tn6Zcj/l/kAylzzP\nhNnFLXfStdKl3A/qrzBPhTVbYD73yFkZuQ+bDr7/IMsHAmDsztuA9g==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnbEdBWjdEbmtNYWJHQnFj\nSU1yb0NYVG4xVlZkYTdUWUpDcGdmbFF6U1NrCjBlWFZkcC9FMVJLYUtDNlBTUWcw\nNHBwWFNESDBQQmJNb3NDN2tDekM4eUUKLS0tICtMVGc1L2JFQ1BqKzM3eWFPRmRQ\nWXlQUWpvdUdOUlZ1OFhtS0ErL0JKSlUKzxLKbsnXvEqnR2HVsTxNqmM7YPjWfCjG\nZ4Bf046NdseomkNuTvWuPzjzPTe4GvjudMYc4ODchkIMOo6hXyf5kw==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2024-11-17T01:12:23Z",
"mac": "ENC[AES256_GCM,data:aXIM/pmgVmfNSa+PwpfK6Efh/kCWXUqZNcKLkyhRwl++vaIBQUIQgQjv09hWHOF77V3ZjRQjh2E1uNe2baBLEmrDT5Au+7VABW+j49KX/vKMd+1l4w47l3DukOVnoo50bsOQFtH+amSl2P2imxpO15sjVDu9/nUeu2qXrtbIUh8=,iv:BQVs3P9p86uzTH2BfuSOxycpE6di4ZIwSz7OTZdcQPg=,tag:mT4Ek8dDbVINGp4Odt62zw==,type:str]",
"pgp": null,
"unencrypted_suffix": "_unencrypted",
"version": "3.9.1"
}
}

13
users/alfhj.nix
View File

@@ -1,13 +0,0 @@
{pkgs, ...}:
{
users.users.alfhj = {
isNormalUser = true;
extraGroups = [ "wheel" ];
shell = pkgs.zsh;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMCAYE0U3sFizm/NSbKCs0jEhZ1mpAWPcijFevejiFL1 alfhj"
];
};
}

2
users/danio.nix
View File

@@ -3,7 +3,7 @@
{
users.users.danio = {
isNormalUser = true;
extraGroups = [ "drift" "nix-builder-users" "wheel" ];
extraGroups = [ "drift" "nix-builder-users" ];
shell = pkgs.zsh;
openssh.authorizedKeys.keys = [

46
values.nix
View File

@@ -25,17 +25,16 @@ in rec {
hosts = {
gateway = pvv-ipv4 129;
gateway6 = pvv-ipv6 1;
bekkalokk = {
ipv4 = pvv-ipv4 168;
ipv6 = pvv-ipv6 168;
};
ildkule = {
ipv4 = "129.241.153.213";
ipv4_internal = "192.168.12.209";
ipv4_internal_gw = "192.168.12.1";
ipv6 = "2001:700:300:6026:f816:3eff:fe58:f1e8";
ipv4 = "10.212.25.209";
ipv6 = "2001:700:300:6025:f816:3eff:feee:812d";
ipv4_global = "129.241.153.213";
ipv6_global = "2001:700:300:6026:f816:3eff:fe58:f1e8";
};
bicep = {
ipv4 = pvv-ipv4 209;
@@ -60,18 +59,39 @@ in rec {
ipv4 = pvv-ipv4 204;
ipv6 = pvv-ipv6 "1:4f"; # Wtf øystein og daniel why
};
kvernberg = {
ipv4 = pvv-ipv4 206;
ipv6 = pvv-ipv6 "1:206";
buskerud = {
ipv4 = pvv-ipv4 231;
ipv6 = pvv-ipv6 231;
};
};
defaultNetworkConfig = {
dns = [ "129.241.0.200" "129.241.0.201" "2001:700:300:1900::200" "2001:700:300:1900::201" ];
domains = [ "pvv.ntnu.no" "pvv.org" ];
gateway = [ hosts.gateway hosts.gateway6 ];
networkConfig.IPv6AcceptRA = "no";
gateway = [ hosts.gateway ];
dns = [ "129.241.0.200" "129.241.0.201" ];
domains = [ "pvv.ntnu.no" "pvv.org" ];
DHCP = "no";
};
openstackGlobalNetworkConfig = {
networkConfig.IPv6AcceptRA = "yes";
dns = [ "129.241.0.200" "129.241.0.201" ];
domains = [ "pvv.ntnu.no" "pvv.org" ];
DHCP = "yes";
};
openstackLocalNetworkConfig = {
networkConfig.IPv6AcceptRA = "no";
dns = [ "129.241.0.200" "129.241.0.201" ];
domains = [ "pvv.ntnu.no" "pvv.org" ];
DHCP = "yes";
# Only use this network for link-local networking, not global/default routes
dhcpV4Config.UseRoutes = "no";
routes = [
{ routeConfig = { Destination = "10.0.0.0/8"; Gateway = "_dhcp4"; }; }
];
linkConfig.RequiredForOnline = "no";
};
}